SafeMode - Analysis: ipfs.io

Visual Capture

Detection Info

https://ipfs.io/ipfs/bafkreibb5re2zwhqkpgfgthhaxzxp5usghrx6lxcele4xo3ufodsxhunva

Detected Brand

DocuSign

Country

International

Confidence

100%

HTTP Status

200

Report ID

04463528-b60…

Analyzed

2026-01-25 08:30

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1BB1299A911A38EAF014384E471AAEF5F71D5C208CFA7D24D71AC51A9B7DBC53ACD026C
CONTENT ssdeep	192:+kDfM6x5dL0D8HmVdkDdHkQ7VzD8H5jkebij87DdHQj7vHj1Njzy:jDjdL0D8HwaDdHJBD8H5jkebij87DdH/

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	a6d8d87266d95272
VISUAL aHash	7c5f676767673f7f
VISUAL dHash	99bc8ccdcfcdf0c6
VISUAL wHash	6c1f072723071f37
VISUAL colorHash	07001008088
VISUAL cropResistant	99bc8ccdcfcdf0c6,4098606424208800,010061c9c9010101

Code Analysis

Risk Score 100/100

Threat Level BAJO

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Personal Info

Telegram Exfiltration

🔬 Threat Analysis Report

• Threat: Potential credential harvesting
• Target: DocuSign users
• Method: Prompting users to sign in with email providers to view a secure cloud document.
• Exfil: Unknown
• Indicators: Third-party sign-in options, request to choose email provider.
• Risk: LOW - Requires user interaction to potentially expose credentials.

🔒 Obfuscation Detected

fromCharCode
unescape
document.write
unicode_escape

🔑 Telegram Bot Tokens (1)

7719595677:AAHi...3YZzOqpg

📊 Risk Score Breakdown

Total Risk Score

100/100

Contributing Factors

Active Phishing Kit

Detected active phishing kit types: Credential Harvester, OTP Stealer, Personal Info

Credential Harvesting

Credential harvesting detected with 5 form(s) capturing sensitive data

Telegram Exfiltration

Real-time data exfiltration via Telegram (1 bot token(s) exposed in client-side code)

Code Obfuscation

JavaScript code obfuscated using 24 technique(s) to evade detection

🔬 Comprehensive Threat Analysis

Threat Type

Two-Factor Authentication Stealer

Target

DocuSign users (International)

Attack Method

credential harvesting forms + obfuscated JavaScript

Exfiltration Channel

Telegram Bot (7719595677:AAHib_f1R...)

Risk Assessment

CRITICAL - Automated credential harvesting with Telegram Bot (7719595677:AAHib_f1R...)

⚠️ Indicators of Compromise

1 Telegram bot token(s)
Kit types: Credential Harvester, OTP Stealer, Personal Info
24 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

DocuSign

Official Website

Unknown

Fake Service

Fraudulent service portal

Fraudulent Claims

⚔️ Attack Methodology

Primary Method: Credential Harvesting

Victim enters username and password into fake login form. Credentials are captured via JavaScript and exfiltrated to attacker's server in real-time.

Secondary Method: JavaScript Obfuscation

Malicious code is obfuscated using 24 techniques to evade detection by security scanners and make reverse engineering more difficult.

📡 Telegram Command & Control Infrastructure

Bot Token (Masked)

7719595677:AAHi...3YZzOqpg

Bot ID

7719595677

Group/Chat ID

Unknown

Operator Language

Unknown

💬 Message Templates (3)

ID	Portuguese	English	Trigger

🌐 Infrastructure Indicators of Compromise

Domain Information

Domain

ipfs.io

Registered

2014-05-16 18:34:42+00:00

Registrar

CSC Corporate Domains, Inc.

Status

Active (older domain)

Hosting Information

Provider

CSC Corporate Domains, Inc.

ASN

📊 Attack Flow Diagram

```
┌─────────────────────────────────────────────────────────────────┐
│                VICTIM VISITS PHISHING PAGE                      │
│           (Fake login, verification, support page)             │
└─────────────────────────┬───────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────────────┐
│              VICTIM ENTERS CREDENTIALS (Form 5)                │
│                                                                 │
│  - Email/Username                                               │
│  - Password                                                     │
│  - 2FA code (if requested)                                      │
│  - Seed phrase (if crypto-related)                              │
└─────────────────────────┬───────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────────────┐
│              FORM SUBMISSION (JavaScript POST)                  │
│                                                                 │
│  Credentials sent to:                                           │
│  → Telegram bot (real-time notification)                       │
└─────────────────────────┬───────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────────────┐
│          🔔 TELEGRAM NOTIFICATION (Attacker alerted)            │
│                                                                 │
│  Message contains:                                              │
│  - Victim's email/username                                      │
│  - Password                                                     │
│  - IP address                                                   │
│  - User agent                                                   │
└─────────────────────────┬───────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────────────┐
│              VICTIM SEES FAKE ERROR / REDIRECT                  │
│                                                                 │
│  - "Incorrect password, try again"                              │
│  - "Account locked, contact support"                            │
│  - Redirect to legitimate site                                  │
└─────────────────────────┬───────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────────────┐
│                🚨 CREDENTIALS STOLEN                            │
│                                                                 │
│  Attacker can now:                                              │
│  - Access victim's account                                      │
│  - Bypass 2FA (if captured)                                     │
│  - Steal funds (if crypto seed phrase)                          │
└─────────────────────────────────────────────────────────────────┘
```

🔬 JavaScript Deep Analysis

Operator Language

English (1%)

Sophistication Level

Basic

Total Code Size

397.7 KB

🔗 API Endpoints Detected

Other

20

🔐 Obfuscation Detected

: Moderate

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

```
┌─────────────────────────────────────────────────────────────────┐
│                VICTIM VISITS PHISHING PAGE                      │
│           (Fake login, verification, support page)             │
└─────────────────────────┬───────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────────────┐
│              VICTIM ENTERS CREDENTIALS (Form 5)                │
│                                                                 │
│  - Email/Username                                               │
│  - Password                                                     │
│  - 2FA code (if requested)                                      │
│  - Seed phrase (if crypto-related)                              │
└─────────────────────────┬───────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────────────┐
│              FORM SUBMISSION (JavaScript POST)                  │
│                                                                 │
│  Credentials sent to:                                           │
│  → Telegram bot (real-time notification)                       │
└─────────────────────────┬───────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────────────┐
│          🔔 TELEGRAM NOTIFICATION (Attacker alerted)            │
│                                                                 │
│  Message contains:                                              │
│  - Victim's email/username                                      │
│  - Password                                                     │
│  - IP address                                                   │
│  - User agent                                                   │
└─────────────────────────┬───────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────────────┐
│              VICTIM SEES FAKE ERROR / REDIRECT                  │
│                                                                 │
│  - "Incorrect password, try again"                              │
│  - "Account locked, contact support"                            │
│  - Redirect to legitimate site                                  │
└─────────────────────────┬───────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────────────┐
│                🚨 CREDENTIALS STOLEN                            │
│                                                                 │
│  Attacker can now:                                              │
│  - Access victim's account                                      │
│  - Bypass 2FA (if captured)                                     │
│  - Steal funds (if crypto seed phrase)                          │
└─────────────────────────────────────────────────────────────────┘
```