Malware Analysis and Short Links

Effective malware analysis tools can help root out malicious short links and enhance the security of individuals and organizations.

Short URL's

Referred to as short links, shortened URLs, or tiny URLs, these abbreviated versions of a URL have, at least in certain cases, a few advantages over fully expanded URLs. Their small size is invaluable when space is an issue. Short links also promote sharing, and because organizations can configure them to terminate or expire, they can enhance security in some applications.

However, cybercriminals use short links to disguise malicious websites. There is just no way that a user can tell what the true destination is by looking at a short link. The only thing the user will see is the link shortening service’s name, followed by a string of seemingly random numbers and letters. Hackers know that a user is more likely to click on than on http://maliciouswebsite.that.will.steal.your.identity.exe. The above short link, created by in this case, doesn’t have anything in it that would reveal that it links to a malicious site.

Cybercriminals use short links, created by shortening services, to plant malware and phishing links on social media and other sites. It’s a very effective method for hackers to reach a wide audience of individuals who have a tendency to click on things spontaneously, which dramatically increases the percentage of infections.  

Steps a User Can Take to Protect Against Malicious Short Links

End users can do a number of things to protect themselves from malicious short links. Because it’s impossible to know where a short link actually leads, users should avoid clicking on them until they have verified that the link is legitimate and free from malware. There are a number of sites and tools that will identify where a short link leads without having to actually click on it. Some even perform rudimentary malware analysis. Here is a couple to consider:

  • ExpandURL is a service that returns the destination of a shortened URL without clicking on the link. Extra information will also be retrieved from the shortened URL, such as the title, description, and keywords on the webpage.
  • CheckShortURL lets you input a short link to see what the destination is before you visit it. The site provides information such as title, description, keywords, and page author, and tells you if the original URL is found on popular search engines or Twitter. It also lets you know if the hidden link is safe or not.
Malware Analysis and Short Links

Figure 1: Expanded short URL []

How Enterprises Can Prevent Infections from Short Links

In addition to educating employees and users about the pitfalls of short links and tools for seeing the underlying URL, enterprises can use advanced malware analysis tools to detect when a link, even a short link, is malicious. For example, an advanced breach protection platform can evaluate files, web pages, emails, and attachments to determine if malicious short links are present.

These sophisticated malware analysis tools use several techniques to identify short links that are dangerous. Detection methods include the following:

  • Expanding the URL, and evaluating the full address
  • Checking to see if other security systems have previously blacklisted the URL as a known malicious entity
  • Examining the file that holds the URL for hidden JavaScript or other malicious code
  • Checking the file that holds the URL for sandbox evasion tactics, or other anomalies
  • While contained in a safe and isolated environment, executing the file that contains the URL, exercising the links, and monitoring all behavior for malicious activities


Short URLs and their potential dangers aren’t going away. They make perfect sense when space is limited, or when there is a massively long link that users need to enter or read to someone over the phone.  

Although end users can do a lot to protect themselves and their organization from malicious short links, doing so requires a substantial effort on their part. The organization must educate users about the pitfalls of short links, and the users must be willing to take the extra steps to manually check them out. Unfortunately, history has shown that users will continue to click on short links, risking infection.

To fully guard against the dangers of short links, organizations need to deploy malware analysis and breach detection tools that are specifically designed to detect advanced malware that utilizes short links.

Learn more about protection from malicious links.

Brian Laing

Brian Laing

For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” he was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. Brian previously founded Hive Media where he served as CEO. He co-founded RedSeal Systems, where he conceived the overall design and features of the product and was granted two patents related to network security. He was also founder and CEO of self-funded Blade Software, who released the industry’s first commercial IPS/FW testing tool.
Brian Laing