SafeMode - Analysis: fromtop.pages.dev

Captura Visual

Informações de Detecção

http://fromtop.pages.dev/info.php

Detected Brand

Zimbra

Country

International

Confiança

95%

HTTP Status

200

Report ID

a642b993-ecb…

Analyzed

2026-03-17 13:11

Final URL (after redirects)

https://fromtop.pages.dev/info.php

Hashes de Conteúdo (Similaridade HTML)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T14B81D7214045AC76858351C46A60BF6857FA83B8C703484CFCEACF8D2AD2EE5E35739A
CONTENT ssdeep	96:kSaZO4eXA3UijcAmOUEs7whV4C6j0Lc9/z:NXSjcaUdUhVB6uc9/z

Hashes Visuais (Similaridade de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	b3a3cccc33333166
VISUAL aHash	ffffc3c3e7ffffe7
VISUAL dHash	204d4d4d4d32040c
VISUAL wHash	ffffe7c3e7000000
VISUAL colorHash	070000001c0
VISUAL cropResistant	204d4d4d4d32040c,a280a280a280a200,088bf4f464f0f00e

Análise de Código

Risk Score 63/100

Nível de Ameaça ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester

🔬 Threat Analysis Report

• Ameaça: Phishing
• Alvo: Usuários do Zimbra
• Método: Imitação via formulário de login em um site de hospedagem gratuita.
• Exfil: https://xn--80aes0ba.xn--p1ai/ajax/ibi.php
• Indicadores: Hospedagem gratuita, logotipo da marca, ações de formulário para domínio suspeito.
• Risco: ALTO

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

document.write

🎯 Kit Endpoints

https://mail.ibl.bas.bg/css/common,login,zhtml,skin.css?skin=harmony&v=220204081455
https://blog.zimbra.com

📤 Form Action Targets

https://xn--80aes0ba.xn--p1ai/ajax/ibi.php

📊 Detalhamento da Pontuação de Risco

Total Risk Score

90/100

Contributing Factors

Free Hosting + Brand Logo

This is a key indicator of phishing.

Suspicious Form Actions

Form submitting data to a suspicious URL. (xn--80aes0ba.xn--p1ai)

Obfuscation Detected

Obfuscated code is a common technique to hide malicious actions

🔬 Análise Integral de Ameaças

Tipo de Ameaça

Credential Harvesting Kit

Alvo

Zimbra users (International)

Método de Ataque

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Canal de Exfiltração

HTTP POST to backend

Avaliação de Risco

HIGH - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

Kit types: Credential Harvester
1 obfuscation techniques

🏢 Análise de Falsificação de Marca

Impersonated Brand

Zimbra

Official Website

null

Fake Service

Zimbra Login

⚔️ Metodologia de Ataque

Primary Method: Credential Harvesting

The attacker is attempting to steal user credentials by mimicking the Zimbra login page on a free hosting service. Users will be tricked into entering their login details, which are then captured by the attacker.