SafeMode - Analysis: fromtop.pages.dev

Visual Capture

Detection Info

http://fromtop.pages.dev/www

Detected Brand

Zimbra

Country

International

Confidence

95%

HTTP Status

200

Report ID

2536d2e5-7ab…

Analyzed

2026-03-17 13:17

Final URL (after redirects)

https://fromtop.pages.dev/www

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T14B81D7214045AC76858351C46A60BF6857FA83B8C703484CFCEACF8D2AD2EE5E35739A
CONTENT ssdeep	96:kSaZO4eXA3UijcAmOUEs7whV4C6j0Lc9/z:NXSjcaUdUhVB6uc9/z

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	b3a3cccc33333166
VISUAL aHash	ffffc3c3e7ffffe7
VISUAL dHash	204d4d4d4d32040c
VISUAL wHash	ffffe7c3e7000000
VISUAL colorHash	070000001c0
VISUAL cropResistant	204d4d4d4d32040c,a280a280a280a200,088bf4f464f0f00e

Code Analysis

Risk Score 63/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester

🔬 Threat Analysis Report

• Threat: Phishing
• Target: Zimbra users
• Method: Impersonation through a fake login page.
• Exfil: https://xn--80aes0ba.xn--p1ai/ajax/ibi.php
• Indicators: Free hosting, Zimbra logo, form to suspicious domain, obfuscation.
• Risk: HIGH

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

document.write

🎯 Kit Endpoints

https://blog.zimbra.com
https://mail.ibl.bas.bg/css/common,login,zhtml,skin.css?skin=harmony&v=220204081455

📤 Form Action Targets

https://xn--80aes0ba.xn--p1ai/ajax/ibi.php

📊 Risk Score Breakdown

Total Risk Score

90/100

Contributing Factors

Free Hosting and Brand Impersonation

The site is hosted on a free hosting platform (pages.dev) and visually impersonates the login page of Zimbra.

Suspicious Form Action

The form action points to a potentially malicious domain (xn--80aes0ba.xn--p1ai), which is a strong indicator of phishing.

Obfuscation Detected

Obfuscation of javascript code is another indicator of malicious intent.

🔬 Comprehensive Threat Analysis

Threat Type

Credential Harvesting Kit

Target

Zimbra users (International)

Attack Method

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Exfiltration Channel

HTTP POST to backend

Risk Assessment

HIGH - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

Kit types: Credential Harvester
1 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

Zimbra

Official Website

null

Fake Service

Login Portal

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The attacker is using a fake login form that mimics the Zimbra login page hosted on free hosting to collect user credentials. Victims are tricked into entering their username and password, which are then sent to the attacker.

Secondary Method: Social Engineering

The attacker relies on social engineering techniques by creating a webpage that looks legitimate enough to trick users into entering their login credentials.