Phishing Analysis
Detailed analysis of captured phishing page
Visual Capture
Detection Info
https://track-dhl-delivery.duckdns.org/track/track.php
Detected Brand
DHL
Country
International
Confidence
96%
HTTP Status
N/A
Report ID
e370a9cc-889โฆ
Analyzed
2026-03-05 12:29
Content Hashes (HTML Similarity)
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T1884158B443A3D92B44B2D2C9B6B91B5B63C0829CCAE3161163EDC39D0FEEC55FC52140 |
|
CONTENT
ssdeep
|
24:hR/CH4mOLohuxBVLxnjz5EB8p0KKohzohun/ipmHp:T24myoa3LNe8p0ytp |
Visual Hashes (Screenshot Similarity)
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
b673591c1c535d1c |
|
VISUAL
aHash
|
00e7e7e7dfffffff |
|
VISUAL
dHash
|
2a0c4e0c36240000 |
|
VISUAL
wHash
|
00c3e7e7001b0f0f |
|
VISUAL
colorHash
|
07000038000 |
|
VISUAL
cropResistant
|
2a0c4e0c36240000 |
Code Analysis
Risk Score
81/100
Threat Level
ALTO
โ ๏ธ Phishing Confirmed
๐ฃ Credential Harvester
Telegram Exfiltration
๐ฌ Threat Analysis Report
โข Threat: Phishing
โข Target: DHL customers
โข Method: Impersonation via fake delivery notification
โข Exfil: Telegram Bot
โข Indicators: Suspicious domain, urgency, payment request.
โข Risk: High
๐ Obfuscation Detected
- fromCharCode
- js_packer
๐ก API Calls Detected
- https://ipwho.is/
๐ Telegram Bot Tokens (1)
- 8519633985:AAF3...Xkas8_QM
๐ Risk Score Breakdown
Total Risk Score
90/100
Contributing Factors
Suspicious Domain
The domain is not an official DHL domain and uses a free dynamic DNS provider.
Obfuscation
Obfuscation makes it harder to understand what the code is doing.
Form Detected
The page has forms likely designed to collect data.
Telegram Token Found
Indicates data exfiltration to Telegram bot.
Delivery scam
The scam pretends to be a delivery service.
๐ฌ Comprehensive Threat Analysis
Threat Type
Credential Harvesting Kit
Target
DHL users (International)
Attack Method
Brand impersonation + credential harvesting forms + obfuscated JavaScript
Exfiltration Channel
Telegram Bot (8519633985:AAF3Nyhy5...)
Risk Assessment
CRITICAL - Automated credential harvesting with Telegram Bot (8519633985:AAF3Nyhy5...)
โ ๏ธ Indicators of Compromise
- 1 Telegram bot token(s)
- Kit types: Credential Harvester
- 208 obfuscation techniques
๐ข Brand Impersonation Analysis
Impersonated Brand
DHL
Official Website
https://www.dhl.com/global/en/home.html
Fake Service
DHL delivery service
Fraudulent Claims
โ๏ธ Attack Methodology
Primary Method: Credential Harvesting
The attacker aims to steal user credentials (username, password) and/or payment information by impersonating a legitimate DHL delivery notification.
Secondary Method: Malware distribution
The 'Continue' button likely redirects to a form to enter credentials and possibly downloads malware or redirects to a different malicious site.
๐ก Telegram Command & Control Infrastructure
Bot Token (Masked)
8519633985:AAF3...Xkas8_QM
Bot ID
8519633985
Group/Chat ID
Unknown
Operator Language
Unknown
๐ฌ Message Templates (3)
| ID | Portuguese | English | Trigger |
|---|---|---|---|
๐ Infrastructure Indicators of Compromise
Domain Information
Domain
track-dhl-delivery.duckdns.org
Registered
None
Registrar
DuckDNS
Status
Active
๐ค AI-Extracted Threat Intelligence
Similar Websites
Pages with identical visual appearance (based on perceptual hash)
DHL
https://inuclo.com/wp-content/uploads/2026/ini2/DHLnew/?toke...
Apr 14, 2026
DHL
https://inuclo.com/wp-content/uploads/2026/ini2/DHLnew/track...
Apr 14, 2026
DHL
http://pku.fgr.mybluehost.me/e/DHL/track/track.php
Mar 23, 2026
DHL
https://nlb.bbn.mybluehost.me/Multi/2K25-MultiLang/track/tra...
Mar 08, 2026
DHL
https://nlb.bbn.mybluehost.me/Multi/2K25-MultiLang/track/tra...
Mar 06, 2026
Scan History for track-dhl-delivery.duckdns.org
Found 4 other scans for this domain
"I Never Thought It Would Happen to Me"
That's what 2.3 million victims say every year. Don't wait to become a statistic.