Evasion by Annoyance: When LNK Payloads Are Too Long

montysecurity
4 min readOct 26, 2023

--

Introduction

I was analyzing this sample from the Malware Hunter Team and ran into hours of trouble trying to parse the full payload out of the LNK file because it is unusually long. I will go through my troubleshooting process and showcase how I managed to finally pull the whole payload out. (I should have known something was up when MHT indicated the LNK was 40+ MB)

Malware Hunter Teams Tweet

The Analysis

The ISO file appears to have been uploaded to VT roughly a week or two after initial creation.

ISO File VT Info

Downloading and mounting the ISO file on a Windows machine shows a LNK and EXE file (the EXE file is marked as “hidden”).

ISO File Contents

If we look at the LNK properties, we see a bunch of blank space.

LNK Properties

By copying the contents of “Target:” to CyberChef, we see the blank space is actually preceded by a cmd.exe invocation.

Surely this is not the actual payload. So lets keep digging.

The next thing I tried was parsing it with PowerShell, using this post as a reference and this is what I got: CyberChef

Sweet, we have some PowerShell. But decoding the base64 leaves you with a PowerShell comment that appears to be lorem ipsum style text.

PowerShell Payload Decoded

The next thing I did here was assume I misunderstood something about text encoding and use the “Decode text” operation in CyberChef to try all of the encodings and see if something resembled a payload. That was not the case (and it took a long time to try all of them).

CyberChef with Decode Text Operation

After that, I opened the LNK file in Notepad and noticed a much larger payload staring me in the face.

LNK Raw Content

I was not satisfied with this answer though, because I “stumbled across” it. I wanted to find a tool to use in the future for this stuff. So I did some research and found out there is a Linux utility that can be used to parse LNK files. Thanks to this post.

So I started a REMnux VM, mounted the ISO image to it, and used lnkinfo to pull the payload out. This time it worked, we got the whole payload!

After decoding it from Base64 we see 2 lines. The first one (above the red mark on the left) is the PowerShell comment from earlier, and the second one (below the red mark) is the actual payload.

Focusing on the second line, it runs the EXE that was shipped with the ISO file.

LNK Payload

Conclusion

The main point of this post is to showcase the unique instance where a LNK payload can be too long to pull just by looking at the file properties and provide a solution for that. In this case I used REMnux (you will need to install the necessary package mentioned in the SuperUser post; sudo apt install liblnk-utils)

For a Windows-based solution, Mandiant has a blog where they reference LECmd but I have not tried it.

--

--