urlscan.io logo urlscan.io
SecurityTrails logo

demabg.eu Open in urlscan Pro
5.104.171.31  Malicious Activity! Public Scan

Go To Rescan Add Verdict Report
URL: https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/?i=129643&oYM9G=
Submission: On May 18 via automatic, source openphish — Scanned from DE
 Behaviour Indicators
Similar DOM Content API
Verdicts

Summary

This website contacted 3 IPs in 2 countries across 3 domains to perform 9 HTTP transactions. The main IP is 5.104.171.31, located in Bulgaria and belongs to ICN-, BG. The main domain is demabg.eu.
TLS certificate: Issued by Sectigo RSA Domain Validation Secure ... on December 19th 2022. Valid for: a year.
This is the only time demabg.eu was scanned on urlscan.io!

urlscan.io Verdict: Potentially Malicious

Targeting these brands: Facebook (Social Network)

Domain & IP information

IP Address AS Autonomous System
1 8 5.104.171.31 49699 (ICN-)
1 2a03:2880:f08... 32934 (FACEBOOK)
1 2a03:2880:f17... 32934 (FACEBOOK)
9 3
Apex Domain
Subdomains		 Transfer
8 demabg.eu
demabg.eu
263 KB
1 facebook.com
facebook.com — Cisco Umbrella Rank: 27
2 KB
1 fbcdn.net
static.xx.fbcdn.net — Cisco Umbrella Rank: 797
1 KB
9 3
Domain Requested by
8 demabg.eu 1 redirects demabg.eu
1 facebook.com demabg.eu
1 static.xx.fbcdn.net demabg.eu
9 3

This site contains no links.

Subject Issuer Validity Valid
www.demabg.eu
Sectigo RSA Domain Validation Secure Server CA		 2022-12-19 -
2024-01-18		 a year crt.sh
*.facebook.com
DigiCert SHA2 High Assurance Server CA		 2023-02-24 -
2023-05-25		 3 months crt.sh

This page contains 1 frames:

Primary Page: https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/?i=129643&oYM9G=
Frame ID: E728B05CA8BBBC0D5889FB109398DAA6
Requests: 9 HTTP requests in this frame

Screenshot
Live screenshot
Full Image

Page Title

Facebook – log in or sign up

Detected technologies

Overall confidence: 100%
Detected patterns
  • /wp-(?:content|includes)/

Page Statistics

9
Requests

89 %
HTTPS

67 %
IPv6

3
Domains

3
Subdomains

3
IPs

2
Countries

266 kB
Transfer

265 kB
Size

1
Cookies

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 7
  • https://demabg.eu/rsrc.php/v3/yj/r/EDFsehamV8T.png HTTP 301
  • https://demabg.eu/bg/rsrc.php/v3/yj/r/EDFsehamV8T.png/

9 HTTP transactions

Resource
Path		 Size
x-fer		 Type
MIME-Type
Primary Request /
demabg.eu/wp-includes/Text/Diff/mode/Fbm/ 		10 KB
10 KB 		Document
General
Check archive.org
Download Go to
Full URL
https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/?i=129643&oYM9G=
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
5.104.171.31 , Bulgaria, ASN49699 (ICN-, BG),
Reverse DNS
demabg.eu
Software
Apache /
Resource Hash
997674a0f441f7e8c5e0e6cd091aaf67cc7803f1497f7d7d9de2fd81e45aa05a

Request headers

Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.126 Safari/537.36
accept-language
de-DE,de;q=0.9

Response headers

cache-control
no-store, no-cache, must-revalidate
content-type
text/html; charset=UTF-8
date
Thu, 18 May 2023 05:18:08 GMT
expires
Thu, 19 Nov 1981 08:52:00 GMT
pragma
no-cache
server
Apache
fak.css
demabg.eu/wp-includes/Text/Diff/mode/Fbm/maroc/ 		15 KB
15 KB 		Stylesheet
General
Check archive.org
Download Go to
Full URL
https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/maroc/fak.css
Requested by
Host: demabg.eu
URL: https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/?i=129643&oYM9G=
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
5.104.171.31 , Bulgaria, ASN49699 (ICN-, BG),
Reverse DNS
demabg.eu
Software
Apache /
Resource Hash
dfa6b65f287498c1423afff9c2e2e6ca235fcab9ca5716fc17f7c7546e1c66f9

Request headers

Referer
https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/?i=129643&oYM9G=
Origin
https://demabg.eu
accept-language
de-DE,de;q=0.9
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.126 Safari/537.36

Response headers

date
Thu, 18 May 2023 05:18:08 GMT
last-modified
Wed, 09 Nov 2022 14:11:24 GMT
server
Apache
accept-ranges
bytes
etag
"a270199-3bd4-5ed0a3b4e5b00"
content-length
15316
content-type
text/css
Lili.css
demabg.eu/wp-includes/Text/Diff/mode/Fbm/maroc/ 		90 KB
90 KB 		Stylesheet
General
Check archive.org
Download Go to
Full URL
https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/maroc/Lili.css
Requested by
Host: demabg.eu
URL: https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/?i=129643&oYM9G=
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
5.104.171.31 , Bulgaria, ASN49699 (ICN-, BG),
Reverse DNS
demabg.eu
Software
Apache /
Resource Hash
779865d0e75fc073f1577ab0dc8c1e1d6aeabba5ee40a7c53d984d149bd2b918

Request headers

Referer
https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/?i=129643&oYM9G=
Origin
https://demabg.eu
accept-language
de-DE,de;q=0.9
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.126 Safari/537.36

Response headers

date
Thu, 18 May 2023 05:18:08 GMT
last-modified
Wed, 09 Nov 2022 14:11:24 GMT
server
Apache
accept-ranges
bytes
etag
"a27019b-1694a-5ed0a3b4e5b00"
content-length
92490
content-type
text/css
banana.css
demabg.eu/wp-includes/Text/Diff/mode/Fbm/sat/ 		7 KB
7 KB 		Stylesheet
General
Check archive.org
Download Go to
Full URL
https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/sat/banana.css
Requested by
Host: demabg.eu
URL: https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/?i=129643&oYM9G=
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
5.104.171.31 , Bulgaria, ASN49699 (ICN-, BG),
Reverse DNS
demabg.eu
Software
Apache /
Resource Hash
d7476964b6524d83272bd58967b3fa74530843bcefdbe727544f2af8d1e00489

Request headers

Referer
https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/?i=129643&oYM9G=
Origin
https://demabg.eu
accept-language
de-DE,de;q=0.9
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.126 Safari/537.36

Response headers

date
Thu, 18 May 2023 05:18:08 GMT
last-modified
Wed, 09 Nov 2022 14:11:24 GMT
server
Apache
accept-ranges
bytes
etag
"a2701a3-1aa6-5ed0a3b4e5b00"
content-length
6822
content-type
text/css
zab.js
demabg.eu/wp-includes/Text/Diff/mode/Fbm/sat/ 		98 KB
98 KB 		Script
General
Check archive.org
Download Go to
Full URL
https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/sat/zab.js
Requested by
Host: demabg.eu
URL: https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/?i=129643&oYM9G=
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
5.104.171.31 , Bulgaria, ASN49699 (ICN-, BG),
Reverse DNS
demabg.eu
Software
Apache /
Resource Hash
5b0df72a353d4337c21af23f3f15d3f738e6ccc1680e2ab45e85eccedb396804

Request headers

Referer
https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/?i=129643&oYM9G=
Origin
https://demabg.eu
accept-language
de-DE,de;q=0.9
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.126 Safari/537.36

Response headers

date
Thu, 18 May 2023 05:18:08 GMT
last-modified
Wed, 09 Nov 2022 14:11:24 GMT
server
Apache
accept-ranges
bytes
etag
"a2701a1-186a6-5ed0a3b4e5b00"
content-length
100006
content-type
application/javascript
Lili.js
demabg.eu/wp-includes/Text/Diff/mode/Fbm/sat/ 		857 B
910 B 		Script
General
Check archive.org
Download Go to
Full URL
https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/sat/Lili.js
Requested by
Host: demabg.eu
URL: https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/?i=129643&oYM9G=
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
5.104.171.31 , Bulgaria, ASN49699 (ICN-, BG),
Reverse DNS
demabg.eu
Software
Apache /
Resource Hash
8b6e74d56bcb7fe1d99c6cb8e522abffbd5fbd508553811abe6e375c9b5ad60f

Request headers

Referer
https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/?i=129643&oYM9G=
Origin
https://demabg.eu
accept-language
de-DE,de;q=0.9
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.126 Safari/537.36

Response headers

date
Thu, 18 May 2023 05:18:08 GMT
last-modified
Wed, 09 Nov 2022 14:11:24 GMT
server
Apache
accept-ranges
bytes
etag
"a2701a4-359-5ed0a3b4e5b00"
content-length
857
content-type
application/javascript
dF5SId3UHWd.svg
static.xx.fbcdn.net/rsrc.php/y8/r/ 		2 KB
1 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://static.xx.fbcdn.net/rsrc.php/y8/r/dF5SId3UHWd.svg
Requested by
Host: demabg.eu
URL: https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/?i=129643&oYM9G=
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f083:100:face:b00c:0:3 Frankfurt am Main, Germany, ASN32934 (FACEBOOK, US),
Reverse DNS
Software
/
Resource Hash
9531e96099e973b3d1c291f3e60419d8fe4730f46de8a492fccd2b4c962c96ce
Security Headers
Name Value
X-Content-Type-Options nosniff

Request headers

accept-language
de-DE,de;q=0.9
Referer
https://demabg.eu/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.126 Safari/537.36

Response headers

date
Thu, 18 May 2023 05:18:07 GMT
content-encoding
br
x-content-type-options
nosniff
content-md5
NiMA5zHIsmaYxSYEaw9fHg==
document-policy
force-load-at-top
cross-origin-resource-policy
cross-origin
alt-svc
h3=":443"; ma=86400
content-length
1027
x-fb-rlafr
0
x-fb-debug
MI/WTekfmO8SfqldKZLj4k+t74w9O1mxzUo0fMqr7lt8lCbOPXNVs7jnJSyweHCgmWhkQvZljZSnFRIaZ0XReg==
x-fb-trip-id
1679558926
last-modified
Mon, 01 Jan 2001 08:00:00 GMT
vary
Accept-Encoding
content-type
image/svg+xml
access-control-allow-origin
*
origin-agent-cluster
?0
cache-control
public,max-age=31536000,immutable
permissions-policy
accelerometer=()
timing-allow-origin
*
expires
Thu, 09 May 2024 20:06:39 GMT
hsts-pixel.gif
facebook.com/security/ 		43 B
2 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://facebook.com/security/hsts-pixel.gif
Requested by
Host: demabg.eu
URL: https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/?i=129643&oYM9G=
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f176:181:face:b00c:0:25de Frankfurt am Main, Germany, ASN32934 (FACEBOOK, US),
Reverse DNS
Software
/
Resource Hash
548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87
Security Headers
Name Value
Content-Security-Policy default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net 'unsafe-eval';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;
Strict-Transport-Security max-age=15552000; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-Xss-Protection 0

Request headers

accept-language
de-DE,de;q=0.9
Referer
https://demabg.eu/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.126 Safari/537.36

Response headers

content-security-policy
default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com *.fbcdn.net 'unsafe-eval';script-src *.facebook.com *.fbcdn.net 'unsafe-inline' blob: data: 'self' 'unsafe-eval';style-src *.fbcdn.net data: *.facebook.com 'unsafe-inline';connect-src *.facebook.com facebook.com *.fbcdn.net wss://*.facebook.com:* wss://*.fbcdn.net attachment.fbsbx.com blob: *.cdninstagram.com 'self' http://localhost:3103 wss://gateway.facebook.com wss://edge-chat.facebook.com wss://snaptu-d.facebook.com wss://kaios-d.facebook.com/ *.fbsbx.com;font-src data: *.facebook.com *.fbcdn.net *.fbsbx.com;img-src *.fbcdn.net *.facebook.com data: https://*.fbsbx.com facebook.com *.cdninstagram.com fbsbx.com fbcdn.net blob: android-webview-video-poster: *.oculuscdn.com;media-src *.cdninstagram.com blob: *.fbcdn.net *.fbsbx.com www.facebook.com *.facebook.com data:;frame-src *.facebook.com *.fbsbx.com fbsbx.com data: *.fbcdn.net;worker-src blob: *.facebook.com data:;block-all-mixed-content;upgrade-insecure-requests;report-uri https://www.facebook.com/csp/reporting/?m=c&minimize=0;
content-encoding
br
x-content-type-options
nosniff
strict-transport-security
max-age=15552000; includeSubDomains
date
Thu, 18 May 2023 05:18:07 GMT
document-policy
force-load-at-top
cross-origin-resource-policy
cross-origin
alt-svc
h3=":443"; ma=86400
x-fb-rlafr
0
x-xss-protection
0
pragma
no-cache
x-fb-debug
WB/YXIQF4kBwDzHFsqffp08iMLjGy90Zy06oGl8Ep6fZrV3Q38cy4LAKW2N+0TykG1gO75SmW3NYVGglFDQy4A==
cross-origin-embedder-policy-report-only
require-corp;report-to="coep_report"
cross-origin-opener-policy
same-origin-allow-popups
vary
Accept-Encoding
report-to
{"max_age":86400,"endpoints":[{"url":"https:\/\/www.facebook.com\/browser_reporting\/?minimize=0"}],"group":"coep_report"}
content-type
image/gif
x-frame-options
DENY
access-control-allow-origin
*
origin-agent-cluster
?0
cache-control
private, no-cache, no-store, must-revalidate
permissions-policy
accelerometer=(), ambient-light-sensor=(), bluetooth=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), midi=(), screen-wake-lock=(), serial=(), usb=()
expires
Sat, 01 Jan 2000 00:00:00 GMT
/
demabg.eu/bg/rsrc.php/v3/yj/r/EDFsehamV8T.png/
Redirect Chain
  • https://demabg.eu/rsrc.php/v3/yj/r/EDFsehamV8T.png
  • https://demabg.eu/bg/rsrc.php/v3/yj/r/EDFsehamV8T.png/
43 KB
43 KB 		Image
General
Check archive.org
Download Go to Show image
Full URL
https://demabg.eu/bg/rsrc.php/v3/yj/r/EDFsehamV8T.png/
Requested by
Host: demabg.eu
URL: https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/maroc/fak.css
Protocol
H2
Server
5.104.171.31 , Bulgaria, ASN49699 (ICN-, BG),
Reverse DNS
demabg.eu
Software
Apache /
Resource Hash
5a44b6bac0a62f00657f3df6b32f0a7b73a8ae0a72d49c848b11df9b0e953d66

Request headers

accept-language
de-DE,de;q=0.9
Referer
https://demabg.eu/wp-includes/Text/Diff/mode/Fbm/maroc/fak.css
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.126 Safari/537.36

Response headers

content-type
text/html; charset=UTF-8
date
Thu, 18 May 2023 05:18:09 GMT
cache-control
no-cache, must-revalidate, max-age=0
server
Apache
link
<https://demabg.eu/bg/wp-json/>; rel="https://api.w.org/"
expires
Wed, 11 Jan 1984 05:00:00 GMT

Redirect headers

date
Thu, 18 May 2023 05:18:08 GMT
server
Apache
x-redirect-by
WordPress
content-type
text/html; charset=UTF-8
location
https://demabg.eu/bg/rsrc.php/v3/yj/r/EDFsehamV8T.png/
cache-control
no-cache, must-revalidate, max-age=0
content-length
0
expires
Wed, 11 Jan 1984 05:00:00 GMT

Verdicts & Comments Add Verdict or Comment

Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!

urlscan

Phishing against: Facebook (Social Network)

2 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

boolean| credentialless function| __updateOrientation

1 Cookies

Domain/Path Name / Value
demabg.eu/ Name: PHPSESSID
Value: bb97e53f338b91b19996740be00ca8b8

1 Console Messages

Source Level URL
Text
network error URL: https://demabg.eu/bg/rsrc.php/v3/yj/r/EDFsehamV8T.png/
Message:
Failed to load resource: the server responded with a status of 404 ()