FORENSICS: Into the Rabbit Hole and a PIF

By B4nd1t0

Published on: October 23, 2022 | Reading Time: 9 min | Last Modified: October 23, 2022


We explore the workings of a scam and the malware used for it.

PREMISE: An artist caught a scammer pretending to be a representative from “KnownOrigin”, a Digital Art Marketplace for “NFT art”. The lure was an archive of files under the pretext of an interview, but it turned out to be a malicious executable that led to another malware. While scamming is not new, the spearphishing attempt was interesting as someone who follows 3D/pixel artists. Given that the artist publicly disclosed the interaction and trolling, I saw it as an opportunity explore the phishing attempt and what was likely the malware.

OBJECTIVE: Share the step-by-step process of the investigation with the thoughts behind it and to provide transparency of the tools used, its purpose, and additional insight.

Events to Explore

  • The Phishing Email
  • Use of WeTransfer
  • First Stage Malware - Downloader
  • Second Stage Malware

Spearphishing Email

This interaction was shared on Twitter by the artist. While the artist cleared me to post his link, I’ll still err to caution in this article.

In this case, the artist in question did not take the bait, but with the details shared, there is an indicator to follow, as we’ll explore in the next section.

WeTransfer Usage

WeTransfer is a platform that provides a means to deliver large files to specific users for within a time limit. Even without registering, the sender is alloted 2 GB worth of data. It is not without its safety mechanism, as the user still have to validate their email before it can be sent. In hindsight, this provides means for threat actors to send phishing emails while minimizing attribution.

WeTransfer offered services

From the spearphishing email was the URL of interest,

I had two options to explore the malicious site, my own sandbox VM or browserling. Since I wanted to do a quick look, I decided to use the Browserling tool.

BROWSERLING OVERVIEW: Browserling is an interactive sandbox that enables interaction with the URL within a two minute timeframe. While there are additional capabilities for Premium accounts, 2 minutes will suffice for this investigation.

CAUTION: > It is highly recommended that it is not used for work as the URI will still show the complete URL. In order, the URI displays the chosen mode of the OS-type, browser, and then URL (e.g /browse/win/7/chrome/105/ If it was a malicious site, this would set off the security alert at a work site.

Following the URL will lead to the WeTransfer landing page with an expected ‘Interview’ package in the form of a RAR file.

The next course of action is getting a hold of the sample for review, now requiring the personal sandbox.


Setting up a personal sandbox is generally either on Virtualbox or VMWare. I personally use VMWare Workstation.

Objective: Identify the masquerading document’s purpose.

Within the RAR file are two files that relate to the interview, one with the .DOCX extension and the other with a curious double extension (PDF.PIF). The PIF extension was the most curious given that it’s not typically used within the Windows environment.

PIF (Program Information File) consists of information used to determine how an MS-DOS-based program should run but can also be a shortcut to an executable (File Format Documentation). However, it is worth noting that it is not used these days due the absense of DOS software. More importantly, there is a malicious nature behind why the extension is used.

Once extracted, there was another observation that warranted a deeper look: The PIF extension did not render, only showing the PDF. This takes into the account that the computer is set to view extensions. Whether ‘File name extension’ is enabled or disabled, the PDF extension remains.

Using the PIF extension aids in obfuscating the file’s true nature. The extension is still viewable in command line. This is made to trick a less computer-savvy individual.

Before moving on to the next machine, I reviewed the other document. It is unknown if the document is supposed to be a decoy, but there was some content.

Swapping to Linux Machine

One thing that I’ll note is that the Tsurugi machine is set to EST (GMT-5). All references to the GMT-5 is tied to the system information of the machine.


First, we’ll take a look at the files to understand the true nature of the sample data. The file command is a good way of identifying the file based on its examination of the Magic Number, or the first two bytes, of the hex.

The last example identified that the file with the double extension is a 32-bit portable executable.


Exiftool is useful for grabbing the metadata. While typically associated with gathering the metadata from photos, it can also pull metadata from files such as documents and even executables. This can reveal some interesting details.

The first example highlights the difference between exif and exiftool. The former will not provide any metadata for non-images and may also break on certain images. In contrast, the latter command will reveal the metadata of any type of file as shown below.

Before moving on to the next example, there are some important parts to highlight for interpretation.

  • File Modification Date/Time: The date shown was when the document was first created, which appears to be on 20 September 2022. The timezone noted was 13:30 GMT-4. GMT-4 is the timezone out in the Carribean.
  • Creator/Last Modified By: ‘Windows User’ as a name is generally considered default, even likely tied to a virtual machine.
  • Create/Modify Date: The time is similar based on on 20 September, but the date is shown in UTC.

CONCLUSION: A point of interest is that it is possible that the developer, or at least, judging by the system was at the Carribean. It is important to take into account that it was developed on a throwaway VM so it is also possible that the time was used randomly. Given the date of the document, it is possible that the targeting was planned ahead of time.

Moving on to the malware itself, there are some characteristics to look at.

  • File Modification Date/Time and Timestamp: The timestamp shows the GMT-4 which is consistent with the Carribean location of the system where the malware was created at. The difference is that it was made on 4 October 2022, about two weeks after the document was drafted.
  • Internal / Original File Name: Instead of the fake document name, the original name of the application is ‘coolnow.exe’. The purpose around the name is not known.


In order to get a good quick analysis on the files, strings command is a good down and dirty way to get the required information. I consider this an analyst’s best friend, especially if you want to get to quick details.

Based on the initial details, I already have an indication that the malware is not packed and there is another indicator to follow, particularly the URL that appears to have a ‘jpeg’ image.

With the URL, I would check the domain to understand when it was registered and who is its Registrar as it could link to a campaign depending on how often it’s seen.

Domain Name:
Registry Domain ID: 7943340045f744feab427d6b2ff6cd26-DONUTS
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2022-10-14T11:27:00Z
Creation Date: 2022-07-11T18:33:06Z
Registry Expiry Date: 2023-07-11T18:33:06Z
Registrar: Hostinger, UAB
Registrar IANA ID: 1636

In this case, it’s creation time was in July of 2022, but it’s difficult to make any other inference beyond its current use.

There are a few more strings that is useful for reviewing the APIs that are called.

Windows Static Analysis

On the Windows machine, PEStudio is one of the more useful tools for static analysis because it’s useful to get quick details in the GUI.

First off is the overview, which will give the hashes, the magic number, the kind of executable as well as the time that it was compiled.

The next section are the indicators: The URL has shown up again. In addition are the identity of the application and its original name.

VirusTotal (VT) section will be called upon if it’s connected to the internet and if the sample was already uploaded (which I did prior).

Lastly, the version has the useful details of the ‘Internal name’ and ‘Original Filename’.

CONCLUSION: Given the URL tied to the malware, it’s identified as a downloader. If the user had clicked on the obfuscated ‘PDF’, it would download the next payload, currently considered a ‘jpeg’ image, ‘Avjgbjt.jpeg ‘.

Second Stage Malware

In order to grab the second payload, I used Wget from the Linux machine to retrieve the next sample to examine.

As a recap on the identifying, I reverted to using file to understand if it is actually an image.

In this case, it turned out that it was not a JPEG, but ASCII text. I would review the through concatonating cat Avjgbjt.jpeg.

What stood out is was the magic number 4D 5A, which correlates to MZ, which is for a portable executable.

The next step was to turn it into a binary so that I could examine it more. In order to do that, I would read the output and convert it using the xxd, which is used to create a hexdump with -r -p to read the dump without the line number information, then convert the output into a filename, which I’ve affectionately chose “demonlord”.

The next step is collecting the metadata on the file.

We were able to uncover that it was not an image file, but a text file that would had been converted into a binary called “Tfvifjufqv.dll”. It’s notable that the compilation date, according to the Time Stamp, was on 4 October from GMT-4.

Identifying the capabilities of the malware, at this point, was a little outside of my wheelhouse, but it was quite the exercise exploring the functionality up to this point.

Investigation Key Takeaways

  • Threat actors can use the PIF extension as a means of bypassing the “view file extensions” functionality and obfuscate the file’s real purpose
  • WeTransfer provides an additional phishing capability

Indicators of Compromise

While this is not terribly useful for the readers, I offer this out of practice and maybe spark interest in reviewing the samples. The samples can found on VirusTotal.

Indicator Type Description
com-help[.]live Domain Used to retrieve the 2nd stage malware
com-help[.]live/loader/uploads/Avjgbjt.jpeg URL Full URL of the malicious file
fa60edc15d1ee6db399d9a55aeb6b20c MD5 coolnow.exe
dc38105ae28a5e29130cc1cf4b7d1a0963bf0d95 SHA1 coolnow.exe
6d08e6bff8e0acb0e657ed94bd2157774159ed5cad751f5018511f6da8b7c174 SHA256 coolnow.exe
c791e53983dadaf3669524ecc03a1890 MD5 Avjgbjt.jpeg
9cff9e019ed0c1b8fd29c0ceb5252eaf3d6cd711 SHA1 Avjgbjt.jpeg
ceaa12b8a4c6665bdb332d8365fbcf7b989587109a3be76dc69a8d4a96c85395 SHA256 Avjgbjt.jpeg
7715ee2028917ab872f5619c9366c5be MD5 Tfvifjufqv.dll
bc8d0c4a0e8e6e6c8dc10d778925edfadcc9c91a SHA1 Tfvifjufqv.dll
79bbc5b7176bc775abe9f52acad28b21ed610738ba3af8274a2ca42029f625a2 SHA256 Tfvifjufqv.dll