Phishing Analysis
Detailed analysis of captured phishing page
Visual Capture
Detection Info
https://ipfs.io/ipfs/bafybeify7bfw7m2dfnjqzyonaig5fdpaykbrelb3dk6oge2qp5yeeqpvtq/
Detected Brand
DocuSign
Country
USA
Confidence
100%
HTTP Status
200
Report ID
63d70f64-02f…
Analyzed
2026-03-05 07:26
Content Hashes (HTML Similarity)
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T1AC214530B009D81B4662C2C4F7F0A50B3F81C3D9D7482D1176DBA2AA1EF6D59DC1A0C5 |
|
CONTENT
ssdeep
|
12:hRwMy7FU5GKNJdoRG7wv9Tv6qqET7ADAtJD1G7BzAewPrikkWCFwo7Qa59SCIUeC:hR/CCdo9v9zdnh7DmKvUuTSxvOPwyoTp |
Visual Hashes (Screenshot Similarity)
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
dc2fa7e2d89ca2c0 |
|
VISUAL
aHash
|
ff000018d8c0f8ff |
|
VISUAL
dHash
|
6363a232b2ad2060 |
|
VISUAL
wHash
|
ff000018d8f0fcff |
|
VISUAL
colorHash
|
1e007000000 |
|
VISUAL
cropResistant
|
31a1236363636363,ae820baa8ecc8eb2,4c48080c0c0c1818,63633232b2ab2020 |
Code Analysis
Risk Score
65/100
Threat Level
ALTO
⚠️ Phishing Confirmed
🎣 Credential Harvester
🎣 OTP Stealer
🔬 Threat Analysis Report
• Threat: Phishing
• Target: DocuSign users
• Method: Impersonation and social engineering.
• Exfil: Unknown (likely credentials or malware).
• Indicators: Domain mismatch, suspicious CTA, brand impersonation.
• Risk: HIGH
📊 Risk Score Breakdown
Total Risk Score
90/100
Contributing Factors
Brand Impersonation
The page tries to impersonate DocuSign.
Domain Mismatch
The domain is not a DocuSign domain.
Suspicious Call To Action
The 'View File' button is highly likely to lead to malicious activity.
🔬 Comprehensive Threat Analysis
Threat Type
Two-Factor Authentication Stealer
Target
DocuSign users (USA)
Attack Method
Brand impersonation
Exfiltration Channel
Form submission (backend endpoint not detected - likely JavaScript-based)
Risk Assessment
HIGH - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)
⚠️ Indicators of Compromise
- Kit types: Credential Harvester, OTP Stealer
🏢 Brand Impersonation Analysis
Impersonated Brand
DocuSign
Official Website
https://www.docusign.com/
Fake Service
Document review
⚔️ Attack Methodology
Primary Method: Phishing through brand impersonation.
The attacker creates a webpage that mimics the appearance of DocuSign. The goal is to trick the user into clicking the 'View File' button.
Secondary Method: Credential Harvesting
If the user clicks on the button, they are likely directed to a fake login page designed to steal credentials.
🌐 Infrastructure Indicators of Compromise
Domain Information
Domain
ipfs.io
Registered
2014-05-16
Registrar
Unknown
Status
Active
🤖 AI-Extracted Threat Intelligence
Similar Websites
Pages with identical visual appearance (based on perceptual hash)
Scan History for ipfs.io
Found 10 other scans for this domain
-
https://bafybeifucnntp2tzvo2smmgd2nrz2anlih4bapzou...
https://bafybeidainj73npe2kepzldqmuwzes5stwbgtu2pb...
https://bafybeidzv5orafwm4qq7m5wdptagbyyaksssolxhe...
https://bafybeiby3jwvxj44lno5pu2qjn5ezh5mlm4fkoy4q...
https://bafybeiaz6xbudbilnb4a52kkl2ffapf7oim253s7i...
https://bafybeieqilhn5yjrdt2cs46bglcamzimrcgbfuvq3...
https://bafkreidpy5pr2m6yvnk6v7ry7tu5lydi2rkd5reft...
https://bafybeih4lunv4ykv3qnx3n4c2c3d3gl5vlonz34ui...
http://ipfs.io/ipfs/bafybeibo7ht7ythkoucqnhcd4lzr5...
https://bafybeicfvmv4fni2inofzgesr4hc754scsn2zsohf...
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.