Windows Shortcut (LNK) Malware Strategies

Attackers are increasingly exploiting Windows shortcut (LNK) files for malware delivery. Our telemetry revealed 21,098 malicious LNK samples in 2023, which surged to 68,392 in 2024. In this article, we present an in-depth investigation of LNK malware, based on analysis of 30,000 recent samples.

Windows shortcut files use the .lnk file extension and function as a virtual link that allows people to easily access other files without having to navigate through multiple folders on a Windows host. The flexibility of LNK files makes them a powerful tool for attackers, as they can both execute malicious content and masquerade as legitimate files to deceive victims into unintentionally launching malware.

Our research indicates LNK malware falls into four categories:

• Exploit execution
• File on disk execution
• In-argument scripts execution
• Overlay execution

We explain each of these techniques in detail with examples to help readers better understand how attackers abuse LNK files in the real world.

As LNK files are becoming a more popular component of malware distribution, everyone should be familiar with this threat, not only cybersecurity professionals but also regular Windows users. Use caution when handling unknown LNK files, especially if you have downloaded them from the internet.

LNK malware files can have familiar icons or names that mimic trusted applications or documents to trick users into opening them. To identify such threats, carefully examine the file’s properties, especially its target location, by right-clicking on the LNK file and selecting “Properties.” If the target seems unusual (e.g., pointing to unknown directories or being abnormally long, indicating suspicious arguments), avoid executing the file.

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

Windows uses LNK files, also called shell links or shortcuts, to create quick access links to files, folders or applications at different locations. Figure 1 shows examples of LNK file icons, which people typically place on their desktop. These icons are easily identifiable because of the small arrow in the bottom-left corner.

LNK files allow people to start a program without having to locate the executable, which is often stored deep in a directory structure in locations like C:\Program Files\[Program Name]\[xxx].exe. An LNK file can also point to a non-executable file, like a PDF document or JPEG image, where double-clicking on the LNK file is equivalent to double-clicking on the actual file.

While LNK files have an .lnk file extension that appears in command-line tools, Windows will never show an .lnk file extension on the Windows desktop or in File Explorer. For example, an LNK file named Invoice.lnk will only show Invoice as the filename.

Someone can create an LNK file using different methods in Windows. The easiest method is to do the following:

• In File Explorer, right-click on the item to bring up a menu
• Select “Show More Options” from the menu if using Windows 11
• Select “Create shortcut”

This brings up a Create Shortcut window to select the location of the desired item.

This creates an LNK that has the location of the original file. Alternatively, people can copy a file and use the “Paste shortcut” option that will paste an LNK pointing to the item.

People can right-click on an item, use the “Send to” option and select “Desktop (create shortcut)” to create an LNK file.

Finally, people can also right-click in the background of File Explorer and select “New” and “Shortcut.” This brings up a Create Shortcut window to select the location of the desired item.

Figure 2 illustrates the LNK file for Microsoft Edge with the default Windows installation.

Figure 2 shows common properties and fields of an LNK file. As highlighted, the most important field is the Target field, where the value is set to:

“C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe”

Consequently, this LNK file enables someone to start Microsoft Edge.

While LNK files may seem simple at first glance, their flexibility lends to their abuse in several ways. Let us look at a malicious sample in Figure 3.

LNK files have a binary file format, and Figure 4 shows their structure.

In Figure 4, optional fields are wrapped in square brackets. Except for EXTRA_DATA, each of the structures starts with its size followed by the content. The STRING_DATA field consists of five sub-fields, two of which are essential for LNK malware.

Of note, the only field required for a valid LNK file is its header. Intuitively, a header-only LNK file is most likely harmless because it will neither have the ability to execute any items nor resolve any paths. Based on our empirical analysis of 30,000 malicious LNK samples, an LNK file containing only a header is likely to be benign.

In LNK files, three fields from Figure 4 are directly related to the target resolution and execution, which are highlighted with a green background:

The LINKTARGET_IDLIST field has the following structure:

LINKTARGET_IDLIST specifies the location of the target (i.e., the item an LNK file is pointing to). As the field name implies, its structure is a list of Windows shell items. Figure 6 illustrates the LINKTARGET_IDLIST structure of an LNK file for Microsoft Edge.

This field contains several types of Window shell items, but the most common ones used in LNK files are ROOT, VOLUME and FILE ENTRY:

• A ROOT item is almost always present and contains a CLSID (i.e., GUID) of a shell folder, acting as the starting point for the path to the target. IDList[0] is ROOT in Figure 6.
• A VOLUME item is often used to specify the disk volume (e.g., the drive letter in Windows) of the path. It can also be used to specify a shell folder by its CLSID. IDList[1] is VOLUME in Figure 6.
• FILE ENTRY items can present a single path component of the target. IDList[1] through -IDList[6] are all FILE ENTRY items.

In summary, a valid LINKTARGET_IDLIST will usually have a chain of shell items consisting of ROOT, VOLUME and/or FILE ENTRY items that can precisely specify a target.

The RELATIVE_PATH has the following structure:

RELATIVE_PATH is a part of the STRING_DATA field, which is either a plaintext ASCII or a Unicode string. It is the relative path of the target with respect to the LNK file, and it resolves the target if the LINKTARGET_IDLIST fails. Typical cases are when LINKTARGET_IDLIST specifies an invalid target or the LINKTARGET_IDLIST is completely missing.

The COMMAND_LINE_ARGUMENTS has the following structure:

COMMAND_LINE_ARGUMENTS is another component of the STRING_DATA field. It supplies the command-line arguments for an executable target. This field is either a plaintext ASCII or a Unicode string. This value is appended to the path of the resolved target to form a complete command to execute.

Attackers can leverage LNK files in various ways, which we can classify into four categories:

• LNK exploits
• Malicious file execution
• In-argument script execution
• Overlay content execution

The first major type of LNK malware is an exploit. These are corrupted LNK binaries designed to exploit Windows.

Since Windows processes the LNK file as soon as it opens the containing folder, these exploit-based LNK files can exploit vulnerabilities in OS components. As Microsoft patched modern Windows versions to prevent these exploits, these types of malicious LNK samples have become less common. However, because these samples usually cause parsing problems during malware analysis, we should still understand how to distinguish an exploit-based LNK file from other corrupted samples.

The exploit of the first variant is in the ROOT (1) sub-field of LINKTARGET_IDLIST, specifically, the extension block (ExtraBlock) of the ROOT node. Figure 7 shows an example of this variant opened in 010 Editor.

The indicator of compromise (IoC) of the first variant is in the VOLUME node of the LINKTARGET_IDLIST. Figure 8 shows a sample of this exploit variant opened in 010 Editor.

Instead of containing malicious content, LNK malware can execute malicious files (either script or binary) that attackers have already saved to disk on the victim host. This type of LNK malware either points to a malicious file, or it points to a system target that can help execute a malicious file.

The goal of this type of LNK malware is simple: execute a malicious file on disk. Figure 10 shows a sample of this type of malware.

LNK malware files often trigger malicious scripts or other files that cannot be directly executed. In such cases, the LNK file points to a Windows system tool (a system target) that can execute the malicious code.

Figure 11 shows the target from this type of malicious LNK sample.

The most common interpreters used by LNK malware of this type are the command prompt file cmd.exe and the PowerShell file powershell.exe. These are commonly included with Windows installations. In addition, they can indirectly invoke other system targets (e.g., start command in cmd.exe).

Based on our analysis, cmd.exe and powershell.exe collectively account for over 80% of the targets used for in-argument script execution by malicious LNK files.

Figure 13 shows an example of LNK malware with a PowerShell command to execute a malicious script in the COMMAND_LINE_ARGUMENTS field.

The Console Window Host (conhost) tool named conhost.exe manages and displays the input/output of command-line tools like cmd.exe. Conhost can be used as a parent process when executing commands to hide the execution of the malicious code from the user’s eyes. We occasionally find malicious LNK files that use conhost.exe to execute scripts. Here is an example shown in Figure 16.

The forfiles command in Windows is similar to the find command in UNIX. This command finds files based on naming patterns. It can also execute arbitrary commands by passing a /c argument, where forfiles will run a specified command on each file it finds.

Figure 19 shows an example of a malicious LNK file using forfiles.

We commonly find extra data appended after the supposed end of malicious LNK files. Since appending data to an LNK file will not cause parsing issues, another type of LNK malware appends malicious scripts or other types of payloads to legitimate LNK files. We call this data “overlay content.” Because Windows will ignore everything after the supposed end of the LNK file, this type of LNK malware must use a specially crafted COMMAND_LINE_ARGUMENTS field to detonate the scripts as desired.

Windows command-line utilities find and findstr are used to search for specific string patterns of text within files, similar to grep commands in UNIX. Malicious LNK can use this command to locate the accurate position of the malicious content in the overlay to ensure it executes malicious code properly.

Figure 21 shows an example of LNK malware where it uses the findstr command recursively to hide and execute the malicious code.

This is the second technique of overlay content. Attackers commonly use malicious HTML Application (HTA) files for different types of malware, and we also find HTA files used in LNK malware. Windows uses mshta.exe to run HTA content. As mshta.exe is a very forgiving interpreter, it will ignore everything in a file until it finds the HTA prologue tag hta:application.

When a malicious HTA file is appended as overlay content to an LNK file, there is no need to find out where the HTA content starts. Instead, a simple command will do the trick: mshta [name of malware].lnk. Figure 26 shows an example.

PowerShell commands and intrinsics such as Select-String, Get-Content and .Substring can be used to find or extract content. The benefit of using PowerShell commands is that they can be encoded to evade detection.

Figure 29 shows an LNK malware example using this technique to execute a Base64-encoded PE file in the overlay.

These three types of overlay content execution techniques have different advantages. Specifically:

• find/findstr: This technique is universal and easy to implement. It can use different patterns as delimiters, and it can support different kinds of payload. In addition, the find command can be obfuscated using standard script obfuscation techniques.
• mshta: This technique is easy to implement, as mshta.exe is so tolerant that it will ignore all non-HTA content. Attackers effectively only need to invoke mshta to execute the LNK file itself. However, the payload must be an HTA script.
• PowerShell command/intrinsics: While this technique is relatively complex to implement, it can use advanced obfuscation to hide or obscure the malicious payload in the overlay content.

These three techniques comprise about 95% of the techniques we have seen in our LNK malware dataset. Figure 34 shows this breakdown.

The remaining 5.6% includes different techniques to locate and execute overlay content, including using fixed offset and executing a loader program. PowerShell’s capability enables an array of techniques for executing malicious content in the overlay, limited only by the attacker’s own imagination.

This article reviews four different types of LNK malware, providing fundamental information for LNK malware analysis. This information is not only valuable for threat analysts, but also useful for data analysts. All Windows users should examine any suspicious LNK files before double-clicking on them to ensure they are not malicious.

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

The following are SHA256 hashes of the LNK malware samples reviewed in this article:

• a90c87c90e046e68550f9a21eae3cad25f461e9e9f16a8991e2c7a70a3a59156
• 08233322eef803317e761c7d380d41fcd1e887d46f99aae5f71a7a590f472205
• 9d4683a65be134afe71f49dbd798a0a4583fe90cf4b440d81eebcbbfc05ca1cd
• a89b344ac85bd27e36388ca3a5437d8cda03c8eb171570f0d437a63b803b0b20
• 28fa4a74bbef437749573695aeb13ec09139c2c7ee4980cd7128eb3ea17c7fa8
• fb792bb72d24cc2284652eb26797afd4ded15d175896ca51657c844433aba8a9
• f585db05687ea29d089442cc7cfa7ff84db9587af056d9b78c2f7a030ff7cd3d
• b2fd04602223117194181c97ca8692a09f6f5cfdbc07c87560aaab821cd29536
• 86f504dea07fd952253904c468d83d9014a290e1ff5f2d103059638e07d14b09
• ​​d1dc85a875e4fc8ace6d530680fdb3fb2dc6b0f07f892d8714af472c50d3a237
• 76d2dd21ffaddac1d1903ad1a2b52495e57e73aa16aa2dc6fe9f94c55795a45b