Using lnk file to deceive users in phishing attacks

Pierluigi Paganini May 04, 2014

Expert at Trustwave explained the tactics adopted by cyber criminals how to serve malware in phishing attacks exploiting  .lnk files.

Phil Hay, expert at Trustwave SpiderLab, explained how cyber criminals  are using .lnk files to serve malware via email. I have chosen to detail this tactic to demonstrate how much creative is the criminal ecosystem, even if it exploit consolidated and well known vector of attack like phishing.

.lnk files are Windows Shortcut files, its usage it is not new to malware authors, in the specific case Hay discovered a mail appearing  sent from a legitimate source (e.g. An individual at Automatic Data Processing) having as attachment  what looks to be a PDF document and a ZIP archive.

lnk files malware vector

In reality the file “statement.pdf” isn’t a pdf file but an executable, while the ZIP archive includes a collection of. lnk files and a copy of the executable “statement.pdf”.

Let’s give a close look to the link to understand the tactic adopted by criminals, analyzing the properties of the link file it is possible to discover much more. When the victim clicks on the .lnk file in reality he runs the cmd.exe which allow the execution of statement.pdf file, regardless its extension, using the “/c” option.


lnk files malware vector 2


“The target runs cmd.exe in the current directory and executes “statement.pdf” with a /c option, which simply means “Carry out the command specified by string and then terminate”.” states the blog post.

As explained by Microsoft in this post, you can run files using the command prompt (cmd.exe), the console uses the Kernel32 API function CreateProcess to examine the content of the file and execute it regardless of its extension.

Clicking on “Statement.pdf” file user will observe that nothing happens, this can induce user to extract the content of the zip archive, seeing a series of “parts”. Clicking on them victim will infect his machine.

lnk files malware vector 2 parts

“These parts do not show a .lnk extension because these are hidden on Windows (think of your desktop shortcuts). But when clicked, the malware is executed, and the user’s machine is now infected.  In this case, the malware was an Upatre downloader, VirusTotal report here for those interested.” reports the post.

An attack compose in this way allows criminals to bypass any email gateways that seek to block executable file simply analyzing the extension instead to examine the file contents. Another element to consider is that also to a visual inspection of the unsolicited mail, its attachment appears to be a “harmless” because it is a PDF file.

Resuming the .lnk files provide a way to invoke cmd.exe to run the renamed executable to infect the victim’s machine.

Be aware cybercrime is always lurking!

Pierluigi Paganini

(Security Affairs –  lnk files, phishing)

you might also like

leave a comment