EN ES PT
Back to Stats

Visual Capture

Screenshot of docs.google.com

Detection Info

https://docs.google.com/forms/d/e/1FAIpQLSdn1Xdy3I9WuxOW54q5qMkaI-DugZVK3k3Y6YgWx-FDeeLGMg/viewform?usp=send_form
Detected Brand
Canada Post
Country
Canada
Confidence
100%
HTTP Status
200
Report ID
70d7381d-6bd…
Analyzed
2026-01-31 18:20
Final URL (after redirects)
https://docs.google.com/forms/d/e/1FAIpQLSdn1Xdy3I9WuxOW54q5qMkaI-DugZVK3k3Y6YgWx-FDeeLGMg/viewform

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm Hash Value
CONTENT TLSH
T13A62C673A025BC3756138BE0B8A1B71EF9A3D30CDC1614A169FC93A12FD9D51A48F74A
CONTENT ssdeep
384:9+G+rS1M2C1MEGXoyytTuVWjh+hwYuYVY1:EhrS141KXP4Cd/561

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm Hash Value
VISUAL pHash
b13166666430cfcf
VISUAL aHash
c3c3ffcfffffffff
VISUAL dHash
8e9e70900c200000
VISUAL wHash
c0c0ecccc4c0f070
VISUAL colorHash
070000001c0
VISUAL cropResistant
8e9e70900c200000,728c9452d3b69e90

Code Analysis

Risk Score 85/100
Threat Level ALTO
⚠️ Phishing Confirmed
🎣 Credential Harvester 🎣 OTP Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Threat: Impersonation phishing
• Target: Canada Post customers
• Method: Deceptive form, asking to reschedule a parcel.
• Exfil: Potentially harvest personal info if a form is presented.
• Indicators: IP address in the link, hosted on Google Forms, impersonation.
• Risk: HIGH

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

  • atob
  • eval
  • fromCharCode
  • unescape
  • hex_escape
  • unicode_escape
  • base64_strings

📤 Form Action Targets

  • https://docs.google.com/forms/d/e/1FAIpQLSdn1Xdy3I9WuxOW54q5qMkaI-DugZVK3k3Y6YgWx-FDeeLGMg/formResponse

📊 Risk Score Breakdown

Total Risk Score
90/100

Contributing Factors

Impersonation
Mimics Canada Post, creating a sense of urgency.
Suspicious Link
The link leads to a suspicious IP address instead of a legitimate Canada Post domain.
Hosting Platform
Hosted on Google Forms, often used for phishing attacks.

🔬 Comprehensive Threat Analysis

Threat Type
Banking Credential Harvester
Target
Canada Post users (Canada)
Attack Method
Brand impersonation + credential harvesting forms + obfuscated JavaScript
Exfiltration Channel
HTTP POST to backend
Risk Assessment
CRITICAL - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

  • Kit types: Credential Harvester, OTP Stealer, Banking, Personal Info
  • 94 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand
Canada Post
Official Website
https:
Fake Service
Delivery Notification/Rescheduling

Fraudulent Claims

⚔️ Attack Methodology

Primary Method: Impersonation

The attacker is impersonating Canada Post to trick users into providing information. This is done through a fake delivery notification.

Secondary Method: Redirection

The 'reschedule' link is designed to redirect users to a malicious website or harvest information.

🌐 Infrastructure Indicators of Compromise

Domain Information

Domain
None
Registered
None
Registrar
None
Status
None

🤖 AI-Extracted Threat Intelligence

😰
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.