Phishing Analysis: OneDrive

Captura Visual

Información de Detección

https://dvh.cil.temporary.site/Doc1

Detected Brand

OneDrive

Country

International

Confidence

100%

HTTP Status

200

Report ID

c3bfbb73-96e…

Analyzed

2026-03-17 17:41

Final URL (after redirects)

https://dvh.cil.temporary.site/Doc1/

Hashes de Contenido (Similitud HTML)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1F0D16270D029CC3B418785D8B2B59B4F3691C255CB230B0467F8A3BE6FEACBAED55254
CONTENT ssdeep	96:TggUUZUbEArkGAnvI5vPelvpAiv9301C5b2K8UnKAkRhfTKDI:3/2AykfvEvmlvtv9EwJ8UnKAYhbKE

Hashes Visuales (Similitud de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	ce4ea8b96466a6a3
VISUAL aHash	f0f0f0f0f8ffffff
VISUAL dHash	2424242420000000
VISUAL wHash	90900010b0ffffff
VISUAL colorHash	066000080c0
VISUAL cropResistant	2424242420000000,fc987a32f4e47939,b2b210b0e4f0328c

Análisis de Código

Risk Score 74/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 Personal Info

🔬 Threat Analysis Report

• Amenaza: Phishing de credenciales
• Objetivo: Usuarios de OneDrive
• Método: Suplantación de identidad con página de inicio de sesión falsa
• Exfil: atob, eval, fromCharCode (Potencial exfiltración de datos vía JavaScript)
• Indicadores: Dominio no coincidente, enlaces a múltiples proveedores de correo electrónico
• Riesgo: Alto

🔒 Obfuscation Detected

atob
eval
fromCharCode

📊 Desglose de Puntuación de Riesgo

Total Risk Score

90/100

Contributing Factors

Domain Mismatch

The domain does not belong to OneDrive

Obfuscated Javascript

Javascript obfuscation detected (atob, eval, fromCharCode), suggesting malicious behavior

Credential Harvesting Attempts

Multiple login options for different providers are classic credential harvesting techniques

🔬 Análisis Integral de Amenazas

Tipo de Amenaza

Credential Harvesting Kit

Objetivo

OneDrive users (International)

Método de Ataque

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Canal de Exfiltración

Form submission (backend endpoint not detected - likely JavaScript-based)

Evaluación de Riesgo

HIGH - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)

⚠️ Indicators of Compromise

Kit types: Credential Harvester, Personal Info
11 obfuscation techniques

🏢 Análisis de Suplantación de Marca

Impersonated Brand

OneDrive

Official Website

https://onedrive.live.com

Fake Service

OneDrive

⚔️ Metodología de Ataque

Primary Method: Credential Harvesting

The page impersonates OneDrive and presents login links to capture credentials. The buttons likely redirect to real login pages to harvest the entered information, or to a secondary phishing page that steals the data.

Secondary Method: Javascript Obfuscation

The presence of obfuscated Javascript code (atob, eval, fromCharCode) strongly suggests efforts to hide malicious code that steals credentials or redirects to a malicious site after the user enters their credentials.