rule lnk_wiped {
	meta:
		author = "gvenere"
		description = "LNK with wiped metadata"
	strings:
		$lnk_magic = { 4C 00 00 00 }
		$ext1 = ".js"
		$ext2 = ".bat"
		$ext3 = ".cmd"
	condition:
		$lnk_magic at 0x0 and uint16(0x1c) == 0x0 and uint16(0x24) == 0x0 and uint16(0x2c) == 0x0 and (any of ($ext*) in (0xa0 .. 0x100))
}