Phishing Analysis: Unknown

Visual Capture

No screenshot available

Detection Info

https://mail.my.webshar.es/2513501.doc/18a80a/fad0f483-81b2-45c6-ad47-7272058d9cb6

Detected Brand

Unknown

Country

Unknown

Confidence

70%

HTTP Status

200

Report ID

7f5ff85d-86e…

Analyzed

2026-01-25 01:08

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T15D81E03290819D770193D3E072BAAF1636C1C2A5CB075A0453F8E3CD6BE7D82DE75699
CONTENT ssdeep	48:nICYcV+ct368TwDM4+Era6W4oRn2Z9vQZbF7nrSTZE8bnmwY4wtzzeYyXlofvlXB:nP68aM47aTfyvOlST7mhHSYy2fvtSkr

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	e6999964339b6631
VISUAL aHash	ffffe7e7e3e3ffff
VISUAL dHash	000008080c040000
VISUAL wHash	3f3f272724243c3c
VISUAL colorHash	07001000180
VISUAL cropResistant	000008080c040000

Code Analysis

Risk Score 50/100

🎣 Credential Harvester

🔐 Credential Harvesting Forms

📤 Form Action Targets

/site/submit

📊 Risk Score Breakdown

Total Risk Score

70/100

Contributing Factors

Active Phishing Kit

Detected Credential Harvester kit with a single form designed for real-time credential interception and exfiltration. The kit lacks obfuscation, suggesting low-effort deployment but high immediate risk.

URL Structure

URL uses a subdomain of 'webshar.es' (a legitimate file-sharing service) to masquerade as a document link, increasing likelihood of user trust. Path includes a fake document ID ('2513501.doc') and a unique identifier ('18a80a/fad0f483-...'), typical of phishing campaigns.

Lack of Obfuscation

Absence of obfuscation techniques (e.g., JavaScript minification, base64 encoding) suggests the kit is either newly deployed or low-sophistication. This increases detectability but does not reduce immediate threat to victims.

Exfiltration Channels

No Telegram bots, Discord webhooks, or WebSocket URLs detected, indicating credentials are likely exfiltrated via HTTP POST to a hardcoded C2 server. This reduces noise but may limit attacker operational security.

Domain Reputation

The 'webshar.es' domain is a legitimate file-sharing service, but the subdomain 'mail.my.webshar.es' is likely attacker-controlled or abused. This leverages the parent domain's reputation to bypass initial filters.

🔬 Comprehensive Threat Analysis

Threat Type

Credential Harvesting Kit

Target

General public

Attack Method

credential harvesting forms

Exfiltration Channel

HTTP POST to backend

Risk Assessment

MEDIUM - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

Kit types: Credential Harvester

🏢 Brand Impersonation Analysis

Fake Service

Document Access Portal

Fraudulent Claims

⚔️ Attack Methodology

Primary Method: Credential Harvesting via Fake Document Portal

The phishing page mimics a document-sharing portal, tricking victims into entering credentials to 'access' a non-existent file (e.g., '2513501.doc'). The single form captures input in real-time and submits it to an attacker-controlled server via HTTP POST, likely without client-side validation.

Secondary Method: Subdomain Spoofing

The URL abuses the 'webshar.es' domain by creating a subdomain ('mail.my.webshar.es') to impersonate a legitimate service. This technique exploits trust in the parent domain to evade email filters and increase click-through rates from victims.