This content is open to everyone — sign in to save your progress, earn points, and unlock module exams.
Topic 4.7 of Malicious Web & Document Files
After Microsoft blocked internet-marked macros by default in 2022, attackers shifted to LNK files. This topic covers the LNK binary structure, embedded command-line abuse, and the bypass techniques used in QakBot and IcedID delivery chains, with analyst tooling for triage.
By the end of this topic, you will
Quadrant 1 · e-Tutorial
Video content coming soon.
Quadrant 2 · e-Content
Quadrant 3 · Web Resources
Downloadable reference material
External links
Microsoft: [MS-SHLLINK] Shell Link Binary File Format
The authoritative specification for the LNK binary format. Required reading for understanding the field layout.
Proofpoint: LNK Delivery Rise After Macro Blocking
Proofpoint's tracking of the shift from macro-based to LNK-based delivery across 2022.
LnkParse3 (Python)
Python library for parsing LNK files. Outputs full structure as JSON including command-line arguments.
Quadrant 4 · Self-Assessment
Malicious Web & Document Files
Covers drive-by download attacks, JavaScript de-obfuscation, malicious PDF analysis, RTF exploitation, and Microsoft Office macro malware.
REMA Complete Assessment
A comprehensive 120-question assessment covering the entire Reverse Engineering and Malware Analysis curriculum: malware taxonomy and reverse engineering fundamentals, static and dynamic analysis, reversing malicious code, malicious web and document files, in-depth analysis of packed and fileless malware, and self-defending malware techniques.