Phishing Analysis
Detailed analysis of captured phishing page
Visual Capture
Detection Info
https://azultienda.com.mx/upro/sso.login/login2.php
Detected Brand
plala
Country
Unknown
Confidence
100%
HTTP Status
200
Report ID
6c282a5a-5ddโฆ
Analyzed
2026-02-06 02:39
Content Hashes (HTML Similarity)
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T13AB1C01493412B0E64A591F6C3606FA843E28C2ED7321958985EE63F1CCD54EED6BBFC |
|
CONTENT
ssdeep
|
96:jN4CpfHSfo47lGCty5vk+7TSTre5b1/LhC5Sb3yJSLP0z3lKZVwcbwYxyCPoZz0X:jWUyUBWcb10KibALJxawh |
Visual Hashes (Screenshot Similarity)
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
969339389e9998dc |
|
VISUAL
aHash
|
1c243c3c3c000000 |
|
VISUAL
dHash
|
394d686865140000 |
|
VISUAL
wHash
|
1c243c3c3f030f0f |
|
VISUAL
colorHash
|
07050000400 |
|
VISUAL
cropResistant
|
394d686865140000 |
Code Analysis
Risk Score
82/100
Threat Level
ALTO
โ ๏ธ Phishing Confirmed
๐ฃ Credential Harvester
๐ฃ Banking
๐ฃ Personal Info
๐ฌ Threat Analysis Report
โข Threat: Phishing
โข Target: plala users
โข Method: Credential Harvesting
โข Exfil: cgi-binsso/pf/agent_sso.php
โข Indicators: Login form, credential harvesting
โข Risk: HIGH
๐ Credential Harvesting Forms
๐ Obfuscation Detected
- fromCharCode
- document.write
- hex_escape
- base64_strings
๐ฏ Kit Endpoints
- https://azultienda.com.mx/upro/sso.login/login2.php
๐ค Form Action Targets
- cgi-binsso/pf/agent_sso.php
๐ Risk Score Breakdown
Total Risk Score
95/100
Contributing Factors
Suspicious Domain
The domain azultienda.com.mx is unrelated to the target brand 'plala'.
Credential Harvesting
The page contains a login form asking for sensitive information (username/password).
Obfuscation Detected
Obfuscation techniques are often used to hide malicious code.
๐ฌ Comprehensive Threat Analysis
Threat Type
Banking Credential Harvester
Target
plala users (Unknown)
Attack Method
Brand impersonation + credential harvesting forms + obfuscated JavaScript
Exfiltration Channel
HTTP POST to backend
Risk Assessment
CRITICAL - Automated credential harvesting with HTTP POST to backend
โ ๏ธ Indicators of Compromise
- Kit types: Credential Harvester, Banking, Personal Info
- 130 obfuscation techniques
๐ข Brand Impersonation Analysis
Impersonated Brand
plala
Fake Service
Login service
โ๏ธ Attack Methodology
Primary Method: Credential Harvesting
The attacker is attempting to steal login credentials by presenting a fake login form on an unrelated domain.
๐ Infrastructure Indicators of Compromise
๐ฆ Malicious Files
Main File
script.js.download
File Size
๐ Attack Flow Diagram
User fills <input name=username> โ td_5a.td_1e() โ fetch('https://azultienda.com.mx/upro/sso.login/login2.php') โ credentials sent
๐ฌ JavaScript Deep Analysis
Total Code Size
105.0ย KB
๐ API Endpoints Detected
Other
1
๐ Obfuscation Detected
- : Moderate
- : None
- : None
๐ค AI-Extracted Threat Intelligence
๐ Attack Flow
User fills <input name=username> โ td_5a.td_1e() โ fetch('https://azultienda.com.mx/upro/sso.login/login2.php') โ credentials sent
๐ฏ Malicious Files Identified
Main Drainer
script.js.downloadFile Size
estimated 45KB
Malicious Functions
td_5a.td_1etmx_post_session_params_fixed
Similar Websites
Pages with identical visual appearance (based on perceptual hash)
plala
https://candidtechnologies.co/master/upgrde/pla_bins/login2....
Feb 13, 2026
plala
https://hellofoody.xyz/login.plala/login2.php
Feb 04, 2026
plala
https://sdnancol01.sch.id/dwagg/sso.login/login2.php
Jan 28, 2026
plala
https://packages.soulservices.com/activeplala/sso.login/logi...
Jan 27, 2026
Plala
https://sdnancol01.sch.id/dwagg/sso.login/login2.php
Jan 21, 2026
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.