SafeMode - Analysis: s.yam.com

Visual Capture

No screenshot available

Detection Info

https://s.yam.com/ZSO1S

Detected Brand

Yam

Country

International

Confidence

100%

HTTP Status

200

Report ID

ec50686c-141…

Analyzed

2026-01-27 23:58

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T18361E7B7E98446B27B53C1F0EAD9480C9702C9CDC7A311D2C9D4026E57A4DB7DC4A16C
CONTENT ssdeep	48:nY5bAVVd6jPJYoD/k6jPBrRV9FP1A2AFP5fJtWtFPMBiw9tKBTtw9t7Bsw9tKB7L:n909TBn9YLfqttw7qtw7qw7xqVB

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	9999666666669999
VISUAL aHash	0018181818180000
VISUAL dHash	00b2b2b030301000
VISUAL wHash	183c3c3c3c3c3c00
VISUAL colorHash	38000000c00
VISUAL cropResistant	cc0a4848484fcee0,00b2b2b030301000

Code Analysis

Risk Score 100/100

Threat Level BAJO

🎣 Credential Harvester 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Threat: Possible redirection to a potentially malicious link.
• Target: Users of Yam Share service
• Method: Automatic redirection after a countdown
• Exfil: No direct exfiltration detected, but potential redirection to a malicious site.
• Indicators: Link shortener domain with auto redirection. The destination domain looks suspicious.
• Risk: LOW - Redirection to a possibly unsafe location.

🔒 Obfuscation Detected

atob
fromCharCode
unicode_escape
base64_strings

📡 API Calls Detected

https://www.google.com/ccm/geo
POST

📊 Risk Score Breakdown

Total Risk Score

100/100

Contributing Factors

Active Phishing Kit

Detected Credential Harvester and Personal Info kit types with real-time form interception capabilities.

High Obfuscation

100 obfuscation techniques detected, indicating deliberate evasion of static analysis and manual inspection.

Brand Impersonation

Impersonates Yam, a legitimate service, to deceive users into submitting sensitive information.

Suspicious JavaScript Files

Presence of dynamic_widget_v1.js (0.19 MB) with no clear legitimate purpose and potential for malicious payload delivery.

🔬 Comprehensive Threat Analysis

Threat Type

Banking Credential Harvester

Target

Yam users (International)

Attack Method

credential harvesting forms + obfuscated JavaScript

Exfiltration Channel

Form submission (backend endpoint not detected - likely JavaScript-based)

Risk Assessment

CRITICAL - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)

⚠️ Indicators of Compromise

Kit types: Credential Harvester, Banking, Personal Info
100 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

Yam

Official Website

https://www.yam.com

Fake Service

Unknown (no specific service or claims detected)

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The phishing kit employs form fields to capture user credentials in real-time. Submitted data is likely exfiltrated to a remote server controlled by the attacker, enabling account takeover or identity theft.

Secondary Method: Personal Information Theft

Additional forms may be designed to harvest personally identifiable information (PII) such as names, addresses, or phone numbers, which can be used for further social engineering or sold on dark web marketplaces.

🌐 Infrastructure Indicators of Compromise

Domain Information

Domain

s.yam.com

Registered

1996-02-14 05:00:00+00:00

Registrar

Network Solutions, LLC

Status

Active (10940 days old)

🦠 Malicious Files

Main File

File Size

Highly obfuscated JavaScript file with potential for credential harvesting or malicious payload delivery.

📊 Attack Flow Diagram

┌──────────────────────────────────────────────────────────┐
│ 1. VICTIM RECEIVES PHISHING LURE                          │
│    - Fake email/SMS impersonating Yam Banking            │
│    - Contains link to fraudulent login page              │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. VICTIM VISITS FAKE YAM SITE                            │
│    - Loads spoofed Banking portal                        │
│    - Displays convincing login interface                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL SUBMISSION                                 │
│    - Victim enters Banking credentials                   │
│    - Form captures input data                            │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA EXFILTRATION                                     │
│    - Credentials sent via HTTP POST                      │
│    - Standard form submission to attacker server         │
└──────────────────────────────────────────────────────────┘

🔬 JavaScript Deep Analysis

Operator Language

English (1%)

Total Code Size

197.3 KB

🔗 API Endpoints Detected

Other

11

🔐 Obfuscation Detected

: None
: Moderate

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

┌──────────────────────────────────────────────────────────┐
│ 1. VICTIM RECEIVES PHISHING LURE                          │
│    - Fake email/SMS impersonating Yam Banking            │
│    - Contains link to fraudulent login page              │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. VICTIM VISITS FAKE YAM SITE                            │
│    - Loads spoofed Banking portal                        │
│    - Displays convincing login interface                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL SUBMISSION                                 │
│    - Victim enters Banking credentials                   │
│    - Form captures input data                            │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA EXFILTRATION                                     │
│    - Credentials sent via HTTP POST                      │
│    - Standard form submission to attacker server         │
└──────────────────────────────────────────────────────────┘