SafeMode - Analysis: fromtop.pages.dev

Captura Visual

Informações de Detecção

http://fromtop.pages.dev/www

Detected Brand

Zimbra

Country

International

Confiança

95%

HTTP Status

200

Report ID

2536d2e5-7ab…

Analyzed

2026-03-17 13:17

Final URL (after redirects)

https://fromtop.pages.dev/www

Hashes de Conteúdo (Similaridade HTML)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T14B81D7214045AC76858351C46A60BF6857FA83B8C703484CFCEACF8D2AD2EE5E35739A
CONTENT ssdeep	96:kSaZO4eXA3UijcAmOUEs7whV4C6j0Lc9/z:NXSjcaUdUhVB6uc9/z

Hashes Visuais (Similaridade de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	b3a3cccc33333166
VISUAL aHash	ffffc3c3e7ffffe7
VISUAL dHash	204d4d4d4d32040c
VISUAL wHash	ffffe7c3e7000000
VISUAL colorHash	070000001c0
VISUAL cropResistant	204d4d4d4d32040c,a280a280a280a200,088bf4f464f0f00e

Análise de Código

Risk Score 63/100

Nível de Ameaça ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester

🔬 Threat Analysis Report

• Ameaça: Phishing
• Alvo: Usuários do Zimbra
• Método: Impersonação por meio de uma página de login falsa.
• Exfil: https://xn--80aes0ba.xn--p1ai/ajax/ibi.php
• Indicadores: Hospedagem gratuita, logotipo do Zimbra, formulário para domínio suspeito, ofuscação.
• Risco: ALTO

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

document.write

🎯 Kit Endpoints

https://blog.zimbra.com
https://mail.ibl.bas.bg/css/common,login,zhtml,skin.css?skin=harmony&v=220204081455

📤 Form Action Targets

https://xn--80aes0ba.xn--p1ai/ajax/ibi.php

📊 Detalhamento da Pontuação de Risco

Total Risk Score

90/100

Contributing Factors

Free Hosting and Brand Impersonation

The site is hosted on a free hosting platform (pages.dev) and visually impersonates the login page of Zimbra.

Suspicious Form Action

The form action points to a potentially malicious domain (xn--80aes0ba.xn--p1ai), which is a strong indicator of phishing.

Obfuscation Detected

Obfuscation of javascript code is another indicator of malicious intent.

🔬 Análise Integral de Ameaças

Tipo de Ameaça

Credential Harvesting Kit

Alvo

Zimbra users (International)

Método de Ataque

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Canal de Exfiltração

HTTP POST to backend

Avaliação de Risco

HIGH - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

Kit types: Credential Harvester
1 obfuscation techniques

🏢 Análise de Falsificação de Marca

Impersonated Brand

Zimbra

Official Website

null

Fake Service

Login Portal

⚔️ Metodologia de Ataque

Primary Method: Credential Harvesting

The attacker is using a fake login form that mimics the Zimbra login page hosted on free hosting to collect user credentials. Victims are tricked into entering their username and password, which are then sent to the attacker.

Secondary Method: Social Engineering

The attacker relies on social engineering techniques by creating a webpage that looks legitimate enough to trick users into entering their login credentials.