I have downloaded this Microsoft shortcut malicious sample from Virustotal for analysis

After downloading, I renamed as sample.lnk. (Microsoft shortcut extension .LNK)

When I opened properties tab of this file, found below properties which clearly shows its now shortcut of any application but a PowerShell script which executed on opening.

Target Type: Application

Target: PowerShell scrip

Description: Windows PowerShell

I copied and pasted PowerShell script to text file.

Behavior of PowerShell script:

Download another PowerShell script out-763347625.ps1 from URL https[:]// latinotca-ar[.]com

I double click on it to check the behavior, a command prompt windows opened and closed.

I could see the PowerShell script executed and tried to connect to the URL. WireShark captured the network traffic.

The web site has taken down. I tried to open the URL in browser, URL is inaccessible.

VIrusTotal sample:

SHA-256: 5c5c2c6197d4b1c24c438b8fb0452257c9e4085ac59297a985ec92ef1720b74d