• Sublime Core Feed
High Severity

Attachment: LNK with embedded content

Labels

Malware/Ransomware
Exploit
LNK
Scripting
Content analysis
Exif analysis
File analysis

Description

Emotet has been observed to embed executable content within an LNK file to deliver and execute VBScript when launched.

Similar research has demonstrated how this concept may be applied to deliver and launch an embedded executable via PowerShell.

References

@ajpc500
Created Aug 17th, 2023 • Last updated Jan 12th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  any(attachments,
      .file_extension == "lnk"
      and any(file.explode(.),
              .file_extension =~ "lnk"
              and any(.scan.exiftool.fields,
                      (.key == "TargetFileSize" and .value == "0")
              )
              and any(.scan.exiftool.fields,
                      (
                        .key == "CommandLineArguments"
                        and strings.ilike(.value,
                                          "*findstr*",
                                          "*sc $path*",
                                          "*Set-Content*"
                        )
                      )
              )
      )
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started