Phishing Analysis
Detailed analysis of captured phishing page
Visual Capture
Detection Info
https://nuudin.site/1/
Detected Brand
Nubank
Country
International
Confidence
100%
HTTP Status
200
Report ID
21a2128a-993โฆ
Analyzed
2026-02-12 12:22
Content Hashes (HTML Similarity)
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T13732DA7072906ABB91CBD2E1B275AB5A72C8CB4BCA57C701A3F983845FC7C52DC48254 |
|
CONTENT
ssdeep
|
192:TZdspGnSPaLKGHnC/MnwswaocZmJ3O5uxTRWAwzDfS:ldsE+QHnCEnwIZWzJRWAwzDq |
Visual Hashes (Screenshot Similarity)
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
b3333333c9cc6664 |
|
VISUAL
aHash
|
e7e7e7ffe7e7ffff |
|
VISUAL
dHash
|
4d4d4d124c4d120a |
|
VISUAL
wHash
|
0707272f07072f3f |
|
VISUAL
colorHash
|
07200000030 |
|
VISUAL
cropResistant
|
4d4d4d124c4d120a,33f4d989f9e5cdd9 |
Code Analysis
Risk Score
100/100
Threat Level
ALTO
โ ๏ธ Phishing Confirmed
๐ฃ Credential Harvester
๐ฃ OTP Stealer
๐ฃ Card Stealer
๐ฃ Banking
๐ฃ Personal Info
๐ฌ Threat Analysis Report
โข Threat: Phishing
โข Target: Nubank customers
โข Method: Impersonation and malicious JavaScript.
โข Exfil: Unknown, likely via form submissions hidden by obfuscation.
โข Indicators: Domain mismatch, Javascript obfuscation, brand impersonation.
โข Risk: HIGH
๐ Obfuscation Detected
- eval
- fromCharCode
- unescape
- unicode_escape
- base64_strings
๐ฏ Kit Endpoints
- http://developers.facebook.com/policy/].
- https://cdn.utmify.com.br/scripts/pixel/pixel.js
- https://www.facebook.com/privacy_sandbox/pixel/register/trigger/
- https://tailwindcss.com/docs/content-configuration
- https://nuudin.site/1/js/latest.js
- https://api.vturb.com.br
- https://tailwindcss.com/docs/using-with-preprocessors#nesting
- https://connect.facebook.net/
- https://connect.facebook.net/en_US/fbevents.js
- https://nuudin.site/1/js/page-handler3.js
- https://tailwindcss.com/docs/installation
- https://api6.ipify.org?format=json
- https://evilmartians.com/chronicles/postcss-8-plugin-migration`),m.env.LANG&&m.env.LANG.startsWith(
- https://tailwindcss.com`}),...e.nodes])},container:(()=
- https://mths.be/cssesc
- https://connect.facebook.net/log/fbevents_telemetry/
- https://cdn.tailwindcss.com
- https://www.facebook.com/tr
- https://developers.facebook.com/docs/meta-pixel/reference/
- https://tailwindcss.com/docs/content-configuration#pattern-recommendations
- https://twitter.com/browserslist
- https://www.instagram.com/tr/
- https://tailwindcss.com/docs/content-configuration#safelisting-classes
- https://tailwindcss.com/docs/content-configuration#discarding-classes
- https://www.facebook.com/privacy_sandbox/topics/registration/
- https://gw.conversionsapigateway.com
- https://www.facebook.com/tr/
- https://analytics.tiktok.com/i18n/pixel/events.js
- https://api.ipify.org?format=json
- https://wa.me/${o}?${e.split(
๐ก API Calls Detected
- GET
- https://ipapi.co/json/
๐ Risk Score Breakdown
Total Risk Score
90/100
Contributing Factors
Recent Domain
Domain created recently, high probability of malicious intent
Domain Mismatch
Domain does not match the official Nubank domain.
Obfuscated Javascript
JavaScript code obfuscation is a common method for hiding malicious activity.
๐ฌ Comprehensive Threat Analysis
Threat Type
Banking Credential Harvester
Target
Nubank users (International)
Attack Method
Brand impersonation + obfuscated JavaScript
Exfiltration Channel
Form submission (backend endpoint not detected - likely JavaScript-based)
Risk Assessment
CRITICAL - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)
โ ๏ธ Indicators of Compromise
- Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
- 158 obfuscation techniques
๐ข Brand Impersonation Analysis
Impersonated Brand
Nubank
Official Website
https://nubank.com.br/
Fake Service
Credit application
Fraudulent Claims
โ๏ธ Attack Methodology
Primary Method: Credential Harvesting
The site attempts to imitate the Nubank website to deceive users into providing personal or financial credentials. This is made possible via the registration of a similar looking domain and the obfuscation of the site's code to hide malicious activity.
Secondary Method: Social Engineering
The site uses design elements and branding to mislead users into believing it is a legitimate site.
๐ Infrastructure Indicators of Compromise
๐ฆ Malicious Files
Main File
24382586641438160?v=2.9.265&r=stable&domain=nuudin.site&hme=8faeb0ed09c145bbd9d3213e762abac29e9f76b8e7a9df9d71a3058625e3b7dd&ex_m=96%2C187%2C136%2C21%2C68%2C69%2C129%2C64%2C43%2C130%2C73%2C63%2C10%2C143%2C82%2C15%2C95%2C124%2C117%2C71%2C74%2C123%2C140%2C104%2C145%2C7%2C3%2C4%2C6%2C5%2C2%2C83%2C93%2C146%2C151%2C201%2C57%2C167%2C168%2C50%2C238%2C28%2C70%2C213%2C212%2C211%2C30%2C56%2C9%2C59%2C89%2C90%2C91%2C97%2C120%2C29%2C27%2C122%2C119%2C118%2C137%2C72%2C139%2C138%2C45%2C55%2C113%2C14%2C142%2C40%2C226%2C227%2C225%2C24%2C25%2C26%2C17%2C19%2C39%2C35%2C37%2C36%2C78%2C84%2C88%2C102%2C128%2C131%2C41%2C103%2C22%2C20%2C109%2C65%2C33%2C133%2C132%2C134%2C125%2C23%2C32%2C54%2C101%2C141%2C66%2C16%2C135%2C106%2C77%2C62%2C18%2C31%2C249%2C194%2C181%2C182%2C180%2C252%2C244%2C195%2C99%2C121%2C76%2C111%2C49%2C42%2C44%2C105%2C110%2C116%2C53%2C60%2C115%2C48%2C51%2C47%2C92%2C144%2C0%2C114%2C13%2C112%2C11%2C1%2C52%2C85%2C58%2C61%2C108%2C81%2C80%2C147%2C148%2C86%2C87%2C8%2C94%2C46%2C126%2C79%2C75%2C67%2C107%2C98%2C38%2C127%2C34%2C100%2C12%2C149
File Size
๐ฌ JavaScript Deep Analysis
Operator Language
English (1%)
Sophistication Level
Basic
Total Code Size
941.9ย KB
๐ API Endpoints Detected
Other
20
๐ Obfuscation Detected
- : Light
- : Moderate
- : Light
- : Light
- : Moderate
- : None
๐ค AI-Extracted Threat Intelligence
๐ฏ Malicious Files Identified
Main Drainer
24382586641438160?v=2.9.265&r=stable&domain=nuudin.site&hme=8faeb0ed09c145bbd9d3213e762abac29e9f76b8e7a9df9d71a3058625e3b7dd&ex_m=96%2C187%2C136%2C21%2C68%2C69%2C129%2C64%2C43%2C130%2C73%2C63%2C10%2C143%2C82%2C15%2C95%2C124%2C117%2C71%2C74%2C123%2C140%2C104%2C145%2C7%2C3%2C4%2C6%2C5%2C2%2C83%2C93%2C146%2C151%2C201%2C57%2C167%2C168%2C50%2C238%2C28%2C70%2C213%2C212%2C211%2C30%2C56%2C9%2C59%2C89%2C90%2C91%2C97%2C120%2C29%2C27%2C122%2C119%2C118%2C137%2C72%2C139%2C138%2C45%2C55%2C113%2C14%2C142%2C40%2C226%2C227%2C225%2C24%2C25%2C26%2C17%2C19%2C39%2C35%2C37%2C36%2C78%2C84%2C88%2C102%2C128%2C131%2C41%2C103%2C22%2C20%2C109%2C65%2C33%2C133%2C132%2C134%2C125%2C23%2C32%2C54%2C101%2C141%2C66%2C16%2C135%2C106%2C77%2C62%2C18%2C31%2C249%2C194%2C181%2C182%2C180%2C252%2C244%2C195%2C99%2C121%2C76%2C111%2C49%2C42%2C44%2C105%2C110%2C116%2C53%2C60%2C115%2C48%2C51%2C47%2C92%2C144%2C0%2C114%2C13%2C112%2C11%2C1%2C52%2C85%2C58%2C61%2C108%2C81%2C80%2C147%2C148%2C86%2C87%2C8%2C94%2C46%2C126%2C79%2C75%2C67%2C107%2C98%2C38%2C127%2C34%2C100%2C12%2C149File Size
943KB
Similar Websites
Pages with identical visual appearance (based on perceptual hash)
Nubank
https://atendimento.portal-seucredito.com/
Jun 25, 2026
Nubank
https://emprestimo-nu.com/inicio/01/
Feb 18, 2026
Nubank
https://emprestimoliberado.com/inicio/01/
Feb 13, 2026
Nubank
https://emprestimoliberado.com/aa/inicio/01/
Feb 12, 2026
NuBank
https://seguniao.pro/inicio/01/?utm_source=google&utm_ca...
Feb 12, 2026
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.