Phishing Analysis
Detailed analysis of captured phishing page
Captura Visual
Información de Detección
http://stately-mooncake-4edd1f.netlify.app/
Detected Brand
Excel
Country
Unknown
Confianza
100%
HTTP Status
200
Report ID
d3b27466-3ec…
Analyzed
2026-01-27 11:28
Final URL (after redirects)
https://stately-mooncake-4edd1f.netlify.app/
Hashes de Contenido (Similitud HTML)
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T11B41877150508C77B583CADC76E89A1A35C2C109CBE31A0866FC97AC2BEDD9BED13258 |
|
CONTENT
ssdeep
|
48:nIYBo+Nws5tCUmlS+WhhtXMz6Cn6fSBgoI6s+JuU:nhek+W7GSqNZJB |
Hashes Visuales (Similitud de Captura)
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
ca89c926b26b6d59 |
|
VISUAL
aHash
|
f8f8f8f0f4f0f0f8 |
|
VISUAL
dHash
|
1113110505050101 |
|
VISUAL
wHash
|
f8f8f8f0f0e0e0e0 |
|
VISUAL
colorHash
|
06000000e00 |
|
VISUAL
cropResistant
|
040c0c0101010000,0000000000000000,86ccec7179eccc96,131f3343c3a31e14 |
Análisis de Código
Risk Score
100/100
Nivel de Amenaza
ALTO
⚠️ Phishing Confirmed
🎣 Credential Harvester
🎣 OTP Stealer
🎣 Personal Info
🔒 Obfuscation Detected
- atob
- fromCharCode
- unescape
- document.write
- js_packer
- base64_strings
📊 Desglose de Puntuación de Riesgo
Total Risk Score
100/100
Contributing Factors
Active Phishing Kit
Detected Credential Harvester and OTP Stealer kits with real-time form interception capabilities.
High Obfuscation
361 obfuscation techniques detected, indicating deliberate evasion of analysis and detection.
Brand Impersonation
Impersonates Microsoft Excel, a high-value target for credential theft and personal information harvesting.
Hosting on Legitimate Service
Hosted on Netlify, a legitimate cloud platform, to bypass reputation-based security filters.
🔬 Análisis Integral de Amenazas
Tipo de Amenaza
Two-Factor Authentication Stealer
Objetivo
Excel users
Método de Ataque
credential harvesting forms + obfuscated JavaScript
Canal de Exfiltración
Form submission (backend endpoint not detected - likely JavaScript-based)
Evaluación de Riesgo
CRITICAL - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)
⚠️ Indicators of Compromise
- Kit types: Credential Harvester, OTP Stealer, Personal Info
- 361 obfuscation techniques
🏢 Análisis de Suplantación de Marca
Impersonated Brand
Microsoft Excel
Official Website
https://www.microsoft.com/en-us/microsoft-365/excel
Fake Service
Fake Excel login or account verification page
⚔️ Metodología de Ataque
Primary Method: Credential Harvesting
The phishing kit captures user credentials by presenting a fake Microsoft Excel login page. Submitted credentials are likely exfiltrated to a remote server controlled by the attacker for immediate use or sale.
Secondary Method: Personal Information Theft
The kit includes forms designed to harvest additional personal information, such as name, address, or phone number, which can be used for identity theft or further targeted attacks.
🌐 Indicadores de Compromiso de Infraestructura
Domain Information
Dominio
stately-mooncake-4edd1f.netlify.app
Registered
Unknown
Registrar
Unknown
Estado
Hosting platform (subdomain)
🦠 Malicious Files
Main File
File Size
No specific malicious JavaScript files detected, but high obfuscation indicates evasion techniques.
📊 Diagrama de Flujo de Ataque
┌──────────────────────────────────────────────────────────┐
│ 1. TARGET RECEIVES PHISHING LURE │
│ - Email/SMS with fake Excel Banking alert │
└────────────────────┬─────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────┐
│ 2. VICTIM CLICKS MALICIOUS LINK │
│ - Redirects to fake Excel login page │
└────────────────────┬─────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL INPUT │
│ - Victim enters Banking credentials │
│ - Form appears identical to legitimate Excel site │
└────────────────────┬─────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────┐
│ 4. CREDENTIAL EXFILTRATION │
│ - Data sent via HTTP POST (standard form submission) │
│ - Attacker receives stolen credentials │
└──────────────────────────────────────────────────────────┘
🤖 AI-Extracted Threat Intelligence
📊 Attack Flow
┌──────────────────────────────────────────────────────────┐
│ 1. TARGET RECEIVES PHISHING LURE │
│ - Email/SMS with fake Excel Banking alert │
└────────────────────┬─────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────┐
│ 2. VICTIM CLICKS MALICIOUS LINK │
│ - Redirects to fake Excel login page │
└────────────────────┬─────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL INPUT │
│ - Victim enters Banking credentials │
│ - Form appears identical to legitimate Excel site │
└────────────────────┬─────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────┐
│ 4. CREDENTIAL EXFILTRATION │
│ - Data sent via HTTP POST (standard form submission) │
│ - Attacker receives stolen credentials │
└──────────────────────────────────────────────────────────┘
🎯 Malicious Files Identified
Similar Websites
Pages with identical visual appearance (based on perceptual hash)
Microsoft Excel
https://regal-concha-e4c379.netlify.app/
May 21, 2026
Microsoft Excel
http://regal-concha-e4c379.netlify.app/
May 19, 2026
Microsoft Excel
http://scintillating-biscotti-6c828c.netlify.app/
May 02, 2026
Microsoft Excel
http://gorgeous-puffpuff-d1509c.netlify.app/
Mar 18, 2026
Microsoft Excel
https://extraordinary-banoffee-40d5d9.netlify.app/?naps
Feb 25, 2026
"Nunca pensé que me pasaría a mí"
Esto dicen las 2.3 millones de víctimas cada año. No esperes a ser una estadística.