Phishing Analysis
Detailed analysis of captured phishing page
Captura Visual
Información de Detección
https://track-dhl-delivery.duckdns.org/track/track.php
Detected Brand
DHL
Country
International
Confianza
96%
HTTP Status
N/A
Report ID
e370a9cc-889…
Analyzed
2026-03-05 12:29
Hashes de Contenido (Similitud HTML)
Used to detect similar phishing pages based on HTML content
| Algorithm | Hash Value |
|---|---|
|
CONTENT
TLSH
|
T1884158B443A3D92B44B2D2C9B6B91B5B63C0829CCAE3161163EDC39D0FEEC55FC52140 |
|
CONTENT
ssdeep
|
24:hR/CH4mOLohuxBVLxnjz5EB8p0KKohzohun/ipmHp:T24myoa3LNe8p0ytp |
Hashes Visuales (Similitud de Captura)
Used to detect visually similar phishing pages based on screenshots
| Algorithm | Hash Value |
|---|---|
|
VISUAL
pHash
|
b673591c1c535d1c |
|
VISUAL
aHash
|
00e7e7e7dfffffff |
|
VISUAL
dHash
|
2a0c4e0c36240000 |
|
VISUAL
wHash
|
00c3e7e7001b0f0f |
|
VISUAL
colorHash
|
07000038000 |
|
VISUAL
cropResistant
|
2a0c4e0c36240000 |
Análisis de Código
Risk Score
81/100
Nivel de Amenaza
ALTO
⚠️ Phishing Confirmed
🎣 Credential Harvester
Telegram Exfiltration
🔬 Threat Analysis Report
• Amenaza: Phishing
• Objetivo: Clientes de DHL
• Método: Suplantación de identidad mediante una falsa notificación de entrega
• Exfil: Bot de Telegram
• Indicadores: Dominio sospechoso, urgencia, solicitud de pago.
• Riesgo: Alto
🔒 Obfuscation Detected
- fromCharCode
- js_packer
📡 API Calls Detected
- https://ipwho.is/
🔑 Telegram Bot Tokens (1)
- 8519633985:AAF3...Xkas8_QM
📊 Desglose de Puntuación de Riesgo
Total Risk Score
90/100
Contributing Factors
Suspicious Domain
The domain is not an official DHL domain and uses a free dynamic DNS provider.
Obfuscation
Obfuscation makes it harder to understand what the code is doing.
Form Detected
The page has forms likely designed to collect data.
Telegram Token Found
Indicates data exfiltration to Telegram bot.
Delivery scam
The scam pretends to be a delivery service.
🔬 Análisis Integral de Amenazas
Tipo de Amenaza
Credential Harvesting Kit
Objetivo
DHL users (International)
Método de Ataque
Brand impersonation + credential harvesting forms + obfuscated JavaScript
Canal de Exfiltración
Telegram Bot (8519633985:AAF3Nyhy5...)
Evaluación de Riesgo
CRITICAL - Automated credential harvesting with Telegram Bot (8519633985:AAF3Nyhy5...)
⚠️ Indicators of Compromise
- 1 Telegram bot token(s)
- Kit types: Credential Harvester
- 208 obfuscation techniques
🏢 Análisis de Suplantación de Marca
Impersonated Brand
DHL
Official Website
https://www.dhl.com/global/en/home.html
Fake Service
DHL delivery service
Fraudulent Claims
⚔️ Metodología de Ataque
Primary Method: Credential Harvesting
The attacker aims to steal user credentials (username, password) and/or payment information by impersonating a legitimate DHL delivery notification.
Secondary Method: Malware distribution
The 'Continue' button likely redirects to a form to enter credentials and possibly downloads malware or redirects to a different malicious site.
📡 Infraestructura de Comando y Control Telegram
Bot Token (Masked)
8519633985:AAF3...Xkas8_QM
Bot ID
8519633985
Group/Chat ID
Unknown
Operator Language
Unknown
💬 Message Templates (3)
| ID | Portugués | Inglés | Trigger |
|---|---|---|---|
🌐 Indicadores de Compromiso de Infraestructura
Domain Information
Dominio
track-dhl-delivery.duckdns.org
Registered
None
Registrar
DuckDNS
Estado
Active
🤖 AI-Extracted Threat Intelligence
Similar Websites
Pages with identical visual appearance (based on perceptual hash)
DHL
https://inuclo.com/wp-content/uploads/2026/ini2/DHLnew/?toke...
Abr 14, 2026
DHL
https://inuclo.com/wp-content/uploads/2026/ini2/DHLnew/track...
Abr 14, 2026
DHL
http://pku.fgr.mybluehost.me/e/DHL/track/track.php
Mar 23, 2026
DHL
https://nlb.bbn.mybluehost.me/Multi/2K25-MultiLang/track/tra...
Mar 08, 2026
DHL
https://nlb.bbn.mybluehost.me/Multi/2K25-MultiLang/track/tra...
Mar 06, 2026
Scan History for track-dhl-delivery.duckdns.org
Found 4 other scans for this domain
"Nunca pensé que me pasaría a mí"
Esto dicen las 2.3 millones de víctimas cada año. No esperes a ser una estadística.