Phishing Analysis
Detailed analysis of captured phishing page
Visual Capture
Detection Info
https://docusign-file.fyi/review
Detected Brand
DocuSign
Country
International
Confidence
100%
HTTP Status
200
Report ID
3fe72692-36cā¦
Analyzed
2026-03-05 07:26
Final URL (after redirects)
https://ipfs.io/ipfs/bafybeify7bfw7m2dfnjqzyonaig5fdpaykbrelb3dk6oge2qp5yeeqpvtq/
Content Hashes (HTML Similarity)
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T1AE211530B049D81B4662C2C4F7F0A50B3F81C3D9D7482D1576DFA6AA1EF6D59EC1A0D5 |
|
CONTENT
ssdeep
|
12:hRwMy7FU5GKNJdoRG7wv9Tv6qqET7ADAtJD1G7BzAewPrikkWCFwo7Qa59SCIUeY:hR/CCdo9v9zdnh7DmKvUuTj6vOPwyoTp |
Visual Hashes (Screenshot Similarity)
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
dc2fa7e2d89ca2c0 |
|
VISUAL
aHash
|
ff000018d8e0f8ff |
|
VISUAL
dHash
|
63636232b2a92064 |
|
VISUAL
wHash
|
ff000018d8f0fcff |
|
VISUAL
colorHash
|
1e007000000 |
|
VISUAL
cropResistant
|
31a1232363636363,ae820baa8eccceb2,4c4c080c0c0c1818,63633232b2ab2060 |
Code Analysis
Risk Score
65/100
Threat Level
ALTO
ā ļø Phishing Confirmed
š£ Credential Harvester
š£ OTP Stealer
š¬ Threat Analysis Report
ā¢ Threat: Phishing
ā¢ Target: DocuSign users
ā¢ Method: Impersonation via a suspicious domain and a call to action button.
ā¢ Exfil: Unknown, likely credential theft or malware download.
ā¢ Indicators: Domain mismatch, call to action button, request to verify.
ā¢ Risk: High
š Risk Score Breakdown
Total Risk Score
90/100
Contributing Factors
Domain Mismatch
The domain does not match the legitimate DocuSign domain.
Phishing Keywords and Tactics
The page uses a call to action button, a common phishing tactic.
Suspicious domain extension
The use of .fyi is unusual for a document portal
š¬ Comprehensive Threat Analysis
Threat Type
Two-Factor Authentication Stealer
Target
DocuSign users (International)
Attack Method
Brand impersonation
Exfiltration Channel
Form submission (backend endpoint not detected - likely JavaScript-based)
Risk Assessment
HIGH - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)
ā ļø Indicators of Compromise
- Kit types: Credential Harvester, OTP Stealer
š¢ Brand Impersonation Analysis
Impersonated Brand
DocuSign
Official Website
https://www.docusign.com
Fake Service
DocuSign Secure Document Portal
āļø Attack Methodology
Primary Method: Credential Harvesting / Malware Delivery
The attacker aims to steal user credentials. After clicking the 'View File' button, the user will likely be redirected to a page that attempts to steal credentials through a login form or install malware on the users system.
Secondary Method: Spear Phishing
The email containing the link has likely been sent in bulk, targeting DocuSign users. It may contain personalized information to increase its chance of success.
š Infrastructure Indicators of Compromise
Domain Information
Domain
docusign-file.fyi
Registered
None
Registrar
None
Status
None
š¤ AI-Extracted Threat Intelligence
Similar Websites
Pages with identical visual appearance (based on perceptual hash)
Scan History for docusign-file.fyi
Found 2 other scans for this domain
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.