EN ES PT
Back to Stats

Visual Capture

No screenshot available

Detection Info

https://app.gitbook.com/o/lV4gAi9JKryA7LuwxuDM/s/b7FIgAIpipP4T4WNzJCl/
Detected Brand
GitBook
Country
International
Confidence
100%
HTTP Status
200
Report ID
bce552c4-a91โ€ฆ
Analyzed
2026-02-07 22:46

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm Hash Value
CONTENT TLSH
T14D323CF12220257F065B8BE9FA91E3CDF64FA14CD9624E84D178437926CBCE0D916978
CONTENT ssdeep
192:999lDvk0NlohsV6qB2kZFo/MdF/C84+Hi9Vcs/MZk7K/GfxTNy:ZlD7NlohsTTo/MdF34+H8VPECG/QNy

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm Hash Value
VISUAL pHash
ecdbc19a2cc36c2c
VISUAL aHash
f0f2f3f393f3f3f3
VISUAL dHash
159447673625a426
VISUAL wHash
f0f0f1b090f0f2f2
VISUAL colorHash
07000030000
VISUAL cropResistant
159447673625a426,9991858b362db66c

Code Analysis

Risk Score 100/100
Threat Level BAJO
๐ŸŽฃ Credential Harvester ๐ŸŽฃ OTP Stealer ๐ŸŽฃ Card Stealer ๐ŸŽฃ Banking ๐ŸŽฃ Personal Info
๐Ÿ”ฅ Firebase Backend

๐Ÿ”ฌ Threat Analysis Report

โ€ข Threat: None (Legitimate)
โ€ข Target: GitBook users
โ€ข Method: N/A
โ€ข Exfil: N/A
โ€ข Indicators: Domain matches brand, standard login form
โ€ข Risk: Low

๐Ÿ”’ Obfuscation Detected

  • atob
  • eval
  • fromCharCode
  • unescape
  • hex_escape
  • unicode_escape
  • base64_strings

๐ŸŽฏ Kit Endpoints

  • https://gitbook.com/docs/creating-content/blocks/code-block#with-line-numbers
  • https://gitbook.com/docs/creating-content/blocks/code-block#wrap-code
  • https://js-eu1.hsforms.net/forms/v2.js
  • https://www.googletagmanager.com/gtm.js?id=
  • https://gitbook.com/docs
  • https://www.gitbook.com/events
  • https://policies.gitbook.com/privacy/cookies
  • https://knowledge.hubspot.com/account/prevent-contact-properties-update-through-tracking-code-api)
  • https://gitbook.com/docs/getting-started/import
  • https://mycompany.com/privacy-policy
  • https://gitbook.com/docs/published-documentation/customization
  • https://js.hs-banner.com/v2
  • https://js.hs-scripts.com/8443689.js
  • https://gitbook.com/docs/creating-content/blocks/code-block#set-syntax
  • https://js.hsforms.net/forms/v2.js
  • https://api-iam.eu.intercom.io
  • https://js.hs-banner.com/v2/8443689/banner.js
  • https://js.hs-analytics.net/analytics/1770507900000/8443689.js
  • https://gitbook.com/docs/content-editor/searching-your-content
  • https://cdn.segment.(com|build)
  • https://gitbook.slack.com/archives/C07AQA4256G/p1721923712258389
  • https://${new
  • https://api-iam.intercom.io
  • https://segment-cdn.gitbook.com/next-integrations/actions/hubspot-web/d15abe56021b9cc2c7a9.js
  • https://gitbookio.github.io/space-quickstart-images/public-docs-card.svg
  • https://gitbookio.github.io/space-quickstart-images/import-panel.svg
  • https://${x4.services.fonts.host}/font/custom/`,
  • https://example.com/fallback
  • https://mysite.com/file
  • https://app.gitbook.com/o/lV4gAi9JKryA7LuwxuDM/s/b7FIgAIpipP4T4WNzJCl/${t}/~gitbook/embed/script.js

๐Ÿ“ก API Calls Detected

  • https://gitbook.com/docs/resources/firewall-safelist
  • mailto:[email protected]
  • GET
  • ${t}${n}
  • first
  • POST
  • /__cookies__
  • https://www.google.com/ccm/geo
  • https://github.com/GitbookIO/community/discussions
  • https://github.com/orgs/GitbookIO/discussions/categories/feature-requests

โ˜๏ธ Cloud Backend

  • Firebase: gitbook-x-prod-default-rtdb.firebaseio.com

๐Ÿ“Š Risk Score Breakdown

Total Risk Score
5/100

Contributing Factors

Domain matches Brand
The domain is app.gitbook.com, which is consistent with the brand.
Obfuscation
Javascript obfuscation detected, this is common.

๐Ÿ”ฌ Comprehensive Threat Analysis

Threat Type
Banking Credential Harvester
Target
GitBook users (International)
Attack Method
credential harvesting forms + obfuscated JavaScript
Exfiltration Channel
Firebase Database
Risk Assessment
CRITICAL - Automated credential harvesting with Firebase Database

โš ๏ธ Indicators of Compromise

  • Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
  • 7141 obfuscation techniques

๐Ÿข Brand Impersonation Analysis

Impersonated Brand
GitBook
Official Website
null

โš”๏ธ Attack Methodology

Primary Method: Credential Harvesting

The site is designed to collect user credentials by presenting a legitimate-looking login form. The obfuscated Javascript may be for tracking or more malicious uses.

๐ŸŒ Infrastructure Indicators of Compromise

๐Ÿฆ  Malicious Files

Main File
8443689.js
File Size

๐Ÿ”ฌ JavaScript Deep Analysis

Operator Language
English (1%)
Total Code Size
1.8ย MB

๐Ÿ”— API Endpoints Detected

Other
39

๐Ÿ” Obfuscation Detected

  • : None
  • : Light
  • : Moderate
  • : None
  • : Heavy
  • : Heavy
  • : Light
  • : Light
  • : Moderate
  • : Light

๐Ÿค– AI-Extracted Threat Intelligence

๐ŸŽฏ Malicious Files Identified

Main Drainer
8443689.js
File Size
1814KB

Scan History for app.gitbook.com

Found 1 other scan for this domain

๐Ÿ˜ฐ
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.