Office maldoc + .lnk
Last Updated: 2017-07-15 20:38:46 UTC
by Didier Stevens (Version: 1)
Reader nik submitted a malicious document. It's an Excel spreadsheet containing a Windows shortcut. As Windows shortcuts can contain interesting metadata like the MAC address of the computer that created the .lnk file, I took a closer look.
First we take a look with oledump:
The 0 next to stream A2 indicates the spreadsheet contains an embedded OLE2 object.
We can get more info:
It's a Windows shortcut file (created by Windows user Tiny).
We will extract it for further analysis:
And then we can use Woanware's lnkanalyser:
Unfortunately, the .lnk file does not contain interesting metadata. But we can see that it uses PowerShell to download an executable from Dropbox.
Microsoft MVP Consumer Security