Phishing Analysis: Unknown

Visual Capture

No screenshot available

Detection Info

https://cfmufg.feminist-o.com/JP/CONFIG/

Detected Brand

Unknown

Country

Unknown

Confidence

100%

HTTP Status

200

Report ID

f4275745-ba2…

Analyzed

2026-01-26 13:45

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1712186A364002C2CBA3182248FD3F84943E4B4A5C4282C90F8CD74AE5DE4FF2A887236
CONTENT ssdeep	24:SqOupUEcsE9cQ6YvmLoAdMA7EazSdhFu7WHAjKQvdHYHFj:+upUdf9cQXiuAR8hRAx+H1

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	8f0f0f0f0f0f0f0e
VISUAL aHash	1fffffffffffffff
VISUAL dHash	6000000000000000
VISUAL wHash	10f0f0f0f0f0f0f0
VISUAL colorHash	07000000000
VISUAL cropResistant	6000000000000000

Code Analysis

Risk Score 82/100

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Personal Info

🔒 Obfuscation Detected

fromCharCode
unescape
js_packer
base64_strings

📊 Risk Score Breakdown

Total Risk Score

100/100

Contributing Factors

Active Phishing Kit

Detected Credential Harvester and OTP Stealer kits with real-time form interception capabilities.

High Obfuscation

263 obfuscation techniques detected in JavaScript, indicating deliberate evasion of analysis.

Malicious JavaScript

Presence of obfuscated JavaScript file (BiPAWbHt.js) with no legitimate purpose identified.

Suspicious Domain

Domain 'cfmufg.feminist-o.com' does not match any known legitimate service and exhibits characteristics of phishing domains.

🔬 Comprehensive Threat Analysis

Threat Type

Two-Factor Authentication Stealer

Target

General public

Attack Method

obfuscated JavaScript

Exfiltration Channel

Unknown

Risk Assessment

CRITICAL - Automated credential harvesting with Unknown

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Personal Info
263 obfuscation techniques

🏢 Brand Impersonation Analysis

Fake Service

Unknown (No specific brand or service impersonation detected)

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The phishing kit is designed to capture login credentials by presenting a fake authentication interface. The kit likely intercepts user input in real-time and transmits it to a remote server controlled by the attacker.

Secondary Method: OTP Stealer

The kit includes functionality to capture one-time passwords (OTPs) or two-factor authentication (2FA) codes, enabling attackers to bypass additional security layers and gain unauthorized access to victim accounts.

🌐 Infrastructure Indicators of Compromise

Domain Information

Domain

cfmufg.feminist-o.com

Registered

2026-01-13 16:19:48+00:00

Registrar

Cloudflare, Inc.

Status

Recently registered (12 days old)

🦠 Malicious Files

Main File

File Size

Highly obfuscated JavaScript file with no identifiable legitimate functionality.

📊 Attack Flow Diagram

Here's a generic ASCII art attack flow diagram for your phishing scenario:

```
┌──────────────────────────────────────────────────────────┐
│ 1. VICTIM RECEIVES DECEPTIVE MESSAGE                     │
│    - Email/SMS with link to fake Banking site            │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE SITE DISPLAYED                                   │
│    - Victim lands on credential harvesting page          │
│    - Page mimics legitimate Banking interface            │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIALS ENTERED                                   │
│    - Victim inputs Banking credentials                   │
│    - Form appears identical to real login                │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA CAPTURED                                         │
│    - Credentials collected via form submission           │
│    - Sent via HTTP POST to attacker-controlled server    │
└──────────────────────────────────────────────────────────┘
```

🔬 JavaScript Deep Analysis

Operator Language

English (1%)

Total Code Size

214.2 KB

🔗 API Endpoints Detected

Other

8

🔐 Obfuscation Detected

: Moderate

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

Here's a generic ASCII art attack flow diagram for your phishing scenario:

```
┌──────────────────────────────────────────────────────────┐
│ 1. VICTIM RECEIVES DECEPTIVE MESSAGE                     │
│    - Email/SMS with link to fake Banking site            │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE SITE DISPLAYED                                   │
│    - Victim lands on credential harvesting page          │
│    - Page mimics legitimate Banking interface            │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIALS ENTERED                                   │
│    - Victim inputs Banking credentials                   │
│    - Form appears identical to real login                │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA CAPTURED                                         │
│    - Credentials collected via form submission           │
│    - Sent via HTTP POST to attacker-controlled server    │
└──────────────────────────────────────────────────────────┘
```