4eb1fbf29f86031e47808cbcac92dfb4370fc4c0b63153f564afcceb9ac60578nfedigitalcom: 4eb1fbf2 — Delphi NFe certificate plugin DLL, May 2026
Executive Summary
A PE32 GUI DLL compiled with Embarcadero Delphi targeting Brazilian NFe (Nota Fiscal Eletrônica) digital-certificate workflows. Heavy Crypt32 certificate-store harvesting, WinHTTP beaconing, and registry manipulation. No static C2 recovered. CAPE skipped due to absent Windows guest; all behaviour inferred from imports, strings, and radare2 surface decompilation. One of two samples in this family cluster (ffdd7105 is the sibling, an EXE).^[triage.json]
What It Is
| Field | Value | Source |
|---|---|---|
| SHA-256 | 4eb1fbf29f86031e47808cbcac92dfb4370fc4c0b63153f564afcceb9ac60578 |
^[triage.json] |
| File name (original) | payload.bin |
^[triage.json] |
| Format | PE32 executable (DLL) (GUI) Intel 80386, 10 sections | ^[file.txt] |
| Size | 1,899,520 bytes (~1.9 MB) | ^[triage.json] |
| Timestamp | Fri May 22 05:30:34 2026 UTC (compiled four days before MalwareBazaar submission) | ^[pefile.txt] |
| Compiler / toolchain | Embarcadero Delphi (Linker 2.25, ProgramID com.embarcadero.Project1) |
^[pefile.txt],^[exiftool.json] |
| Signing | Unsigned (signed: false) |
^[rabin2-info.txt] |
| Exports | CriarArquivoTxt, __dbk_fcall_wrapper, dbkFCallWrapperAddr |
^[pefile.txt] |
The export name CriarArquivoTxt (Portuguese: "Create Text File") and the Project1 version-info masquerade are both typical of Delphi malware built from default template projects.^[pefile.txt:395],^[exiftool.json:39] The __dbk_fcall_wrapper / dbkFCallWrapperAddr pair are Delphi debugger callback exports, not anti-analysis — they appear on any binary built with debug info enabled.^[strings.txt:14724]
How It Works
1. Build / RE Lens
Compiler: Embarcadero Delphi (recent — RTTI strings include System.Net.HttpClient.Win, System.JSON, System.Threading, indicating at least Delphi 10.4+).^[strings.txt:1-200] The 1.9 MB size is almost entirely VCL / RTL runtime bloat; functional malware logic is a small fraction.
Packing / obfuscation: None observed. Sections have entropy 1.2–6.7, well below packed thresholds.^[pefile.txt] No UPX, Themida, or custom packer signatures. binwalk identifies zlib copyright strings (Delphi statically links zlib for compression streams) and a tiny LZMA blob inside .rdata — likely compressed VCL resource data, not encrypted payload.^[binwalk.txt]
Anti-analysis: IsDebuggerPresent imported; no VM-detection strings, no CPUID checks, no timing bombs evident in surface strings.^[strings.txt:14502] Anti-debug is opportunistic, not layered.
Code quality: Very low — default project name, default version block, debugger exports left in. This is not a professional builder; it is a rapid-fire Delphi plugin compiled from stock VCL templates.
2. Deploy / ATT&CK Lens
All TTPs below are import-driven inferences unless stated otherwise. No dynamic execution confirms the behavioural chain.
| Technique | Evidence | Confidence |
|---|---|---|
| T1071.001 Application Layer Protocol: Web Protocols | winhttp.dll: WinHttpOpen, WinHttpConnect, WinHttpSendRequest, WinHttpReceiveResponse, WinHttpReadData, WinHttpQueryHeaders |
High (direct imports) |
| T1552.004 Credentials from Password Stores: Windows Certificate Stores | Crypt32.dll: CertOpenSystemStoreW, PFXImportCertStore, CertFindCertificateInStore, CertGetNameStringW, CryptDecodeObject |
High (direct imports; matches NFe / A1-A3 certificate theft) |
| T1497.001 Virtualization/Sandbox Evasion: System Checks | IsDebuggerPresent |
Medium (single check, easily bypassed) |
| T1055 Process Injection | VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateProcessW, ResumeThread, SuspendThread |
Medium (imports present; actual injection path not decompiled) |
| T1547.001 Registry Run Keys / Startup Folder | RegSetValueExW, RegCreateKeyExW, RegOpenKeyExW |
Low (imports present, no key path recovered) |
| T1070.004 File Deletion | DeleteFileW |
Medium |
| T1083 File and Directory Discovery | FindFirstFileW, FindNextFileW, GetFileAttributesExW |
Medium |
| T1082 System Information Discovery | GetComputerNameW, GetVolumeInformationW, GetVersionExW |
Medium |
C2 Infrastructure: No static C2 indicators recovered (no hardcoded IP, domain, or URL). The WinHTTP imports and their use inside Delphi TWinHTTPClient / TWinHTTPRequest runtime classes imply HTTPS beaconing to a runtime-resolved endpoint — likely decrypted at load time or delivered via an external config.^[strings.txt:12904-12935] The RT_STRING resources contain only VCL error strings; no embedded config blob.^[resource extraction]
Persistence: Inferred via registry writes (see T1547.001 above). The DLL form factor suggests it is loaded by a primary dropper/installer; the CriarArquivoTxt export may be the persistence hook or a decoy file-generation routine called by the installer.
Attribution: Brazilian domestic targeting. The nf-edigital-com label and the nfe (Nota Fiscal Eletrônica) context point to certificate theft from SMEs that use digital certificates (A1/A3 tokens) for SEFAZ / Receita Federal e-invoicing. The May 2026 compilation date is unusually fresh for a Delphi banker, suggesting an active campaign or a builder in current use.
Decompiled Behaviour
Ghidra analysis incomplete for this sample (VCL bloat produced >13,000 functions; auto-analysis queue did not finish within session window).^[ghidra:status] Radare2 surface decompilation of the export CriarArquivoTxt shows a short wrapper that allocates a string buffer (0x5aea8c), checks a path-separator condition (0x5c = \), calls an internal VCL function at 0x5955c0, and returns a file handle or status.^[r2:sym.Project1.dll_CriarArquivoTxt] The actual malicious payload is deeper in the VCL event chain, not in the export stub.
Interesting Tidbits
binwalkhit on LZMA at offset0x1CFABAwith dictionary size 0 and uncompressed size 21 GB — this is almost certainly a false-positive match inside compressed VCL resource garbage, not a real payload.^[binwalk.txt]- The
flosstool failed during triage due to a CLI syntax error (--noflag collision with the path argument). Triage pipeline should be patched to quote the sample path.^[floss.txt] - No capa output available — capa signatures were not installed on the triage host at analysis time.^[capa.txt]
- This DLL is paired in MalwareBazaar with an EXE sibling (
ffdd7105, 4.7 MB) sharing thenf-edigital-comlabel. The sibling is likely the dropper/installer that loads this DLL viaLoadLibraryA→ callsCriarArquivoTxt.^[triage sibling]
How To Mess With It (Homelab Replication)
- Install Delphi Community Edition (or Lazarus/Free Pascal for equivalent VCL forms).
- Create a new DLL project (
File → New → DLL). - Add a single export function named
CriarArquivoTxtthat returns a string path. - Link
Winapi.WinHTTP,Winapi.Windows,System.Win.Registry, andSystem.Net.HttpClientunits. - Use Delphi's
TWinHTTPClientto POST collected data to a test HTTPS endpoint. - Use
CertOpenSystemStoreW(CERT_STORE_PROV_SYSTEM, L"MY")to enumerate personal certificates. - Compile with debug info enabled to reproduce the
__dbk_fcall_wrapper/dbkFCallWrapperAddrexport pair. - Compare the resulting PE's section names (
.text,.itext,.data,.bss,.idata,.didata,.edata,.rdata,.reloc,.rsrc) and linker version to the original.
What you will learn: How Delphi RTL bloat inflates trivial malware to 1.9 MB, and how VCL HTTP client wrappers translate directly into WinHTTP API imports.
Deployable Signatures
YARA Rule
rule nfedigitalcom_delphi_dll {
meta:
description = "Brazilian NFe-targeting Delphi DLL (nfedigitalcom family)"
author = "PacketPursuit SOC"
date = "2026-06-05"
hash = "4eb1fbf29f86031e47808cbcac92dfb4370fc4c0b63153f564afcceb9ac60578"
family = "nfedigitalcom"
strings:
$export1 = "CriarArquivoTxt" ascii wide
$export2 = "dbkFCallWrapperAddr" ascii wide
$delphi1 = "com.embarcadero.Project1" ascii wide
$delphi2 = "System.Net.HttpClient.Win" ascii wide
$delphi3 = "System.Net.URLClient.TCredentialsStorage.TCredential" ascii wide
$crypt1 = "CertOpenSystemStoreW" ascii wide
$crypt2 = "PFXImportCertStore" ascii wide
condition:
uint16(0) == 0x5A4D and
pe.exports("CriarArquivoTxt") and
pe.imports("winhttp.dll", "WinHttpOpen") and
pe.imports("Crypt32.dll", "CertOpenSystemStoreW") and
3 of ($delphi*) and
1 of ($crypt*)
}
Sigma Rule
title: nfedigitalcom Delphi DLL Process Creation and Certificate Store Access
id: 4eb1fbf2-nfedigitalcom-01
status: experimental
description: Detects a process loading a DLL with Delphi VCL exports and immediately accessing certificate stores via Crypt32.
logsource:
category: process_access
product: windows
detection:
selection:
CallTrace|contains:
- 'CertOpenSystemStoreW'
- 'CertFindCertificateInStore'
Image|endswith:
- 'rundll32.exe'
CommandLine|contains:
- 'CriarArquivoTxt'
condition: selection
falsepositives:
- Legitimate Delphi certificate-management utilities (rare)
level: medium
IOC List
| Type | Value | Note |
|---|---|---|
| SHA-256 | 4eb1fbf29f86031e47808cbcac92dfb4370fc4c0b63153f564afcceb9ac60578 |
This sample |
| SHA-256 | ffdd7105679e62d8d5c7f22907d5ffe1ffbbe9b6374d957a1c3639f112f7778c |
Sibling EXE dropper |
| Export | CriarArquivoTxt |
Unique identifier across all observed Delphi malware |
| Export | dbkFCallWrapperAddr |
Delphi debug info artefact (not unique, part of cluster fingerprint) |
| DLL characteristics | IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE, NX_COMPAT |
ASLR + DEP enabled |
Behavioural Fingerprint Statement
This binary is a PE32 DLL compiled with Embarcadero Delphi, presenting exports CriarArquivoTxt and dbkFCallWrapperAddr, and importing both WinHTTP client APIs and Crypt32 certificate-store APIs within the same module. On execution, it will likely enumerate the Windows MY certificate store to harvest A1/A3 digital certificates used for Brazilian NFe tax-invoice signing, then transmit the stolen data over HTTPS via WinHTTP. The module is unsigned, has a default Project1 version block, and was compiled in May 2026.
Detection Signatures
- Static: YARA rule above covers the Delphi VCL strings + export + Crypt32 import combination.
- Runtime: Monitor
CertOpenSystemStoreWcalls from processes that recently loaded a DLL withCriarArquivoTxtin its export table. - Network: WinHTTP user-agent is the default
Mozilla/4.0unless overridden by the DelphiTWinHTTPClientconfig at runtime.
References
- Artifact ID:
81641bd5-1a33-404f-8633-c19fd0bbee18 - MalwareBazaar / OpenCTI label:
nf-edigital-com→ slugnfedigitalcom - Sibling analysis:
/intel/analyses/ffdd7105679e62d8d5c7f22907d5ffe1ffbbe9b6374d957a1c3639f112f7778c.html(not yet written) - Wiki entity page: nfedigitalcom
Provenance
This report was produced from static analysis only (CAPE skipped: no Windows guest available). Tools: file (file.txt), exiftool (exiftool.json), pefile Python module (pefile.txt), GNU strings (strings.txt), radare2 (rabin2-info.txt, decompile), binwalk (binwalk.txt), floss (failed — syntax error), capa (failed — missing signatures). No Ghidra decompiled code due to VCL bloat exceeding session analysis window.