Malicious LNK File Analysis

I noticed a LNK file uploaded to Malware Bazaar and wanted to take a look. It turns out to be an onion of obfuscated PowerShell that eventually leads to an executable (tagged as Colbalt Strike, though we won't go into the EXE in this video). Sample on MalwareBazaar: https://bazaar.abuse.ch/sample/0135c4f45de3e2187708033da3135210b03c9db4275dfa794dbcbff21b4f4df9/ LnkParse3: https://pypi.org/project/LnkParse3/ ☕ Buy Me A Coffee: https://www.buymeacoffee.com/0xdf [00:00] Introduction [01:04] Overview of file in Malware Bazaar [02:00] Looking at lnk in a Windows VM [03:11] lnkparse on file [04:04] Downloading and unobfuscating layer 1 [05:20] Analysis of layer 1, unobfuscating layer 2 [07:55] Analysis of layer 2 [08:50] Accidentally download directory listing [10:45] Looking at decoy PDF [12:03] Comparing binaries from two tmp zip files [12:54] Not going to RE binary here [13:23] Looking up hashes in Malware Bazaar and VirusTotal [14:56] Wrap up