![](/screenshots/50e4bcb7-4154-47d7-bc2f-4e79d3578fa0.png)
pp-2021amneld.xyz
Open in
urlscan Pro
2606:4700:3031::ac43:932b
Malicious Activity!
Public Scan
Effective URL: https://pp-2021amneld.xyz/?hKgBYRcQe8i273iMCUpqWiHQGUFPtSA3zQWVfdA08skNP60Xluwgh7CsrTCyLzLk2olCNLyoQveaXrE8x0l2OUFJRowZZ1E...
Submission: On September 30 via manual from DE — Scanned from DE
Summary
TLS certificate: Issued by Cloudflare Inc ECC CA-3 on September 29th 2021. Valid for: a year.
This is the only time pp-2021amneld.xyz was scanned on urlscan.io!
urlscan.io Verdict: Potentially Malicious
Targeting these brands: PayPal (Financial)Domain & IP information
IP Address | AS Autonomous System | ||
---|---|---|---|
1 1 | 2606:4700:10:... 2606:4700:10::ac43:8ee | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
1 1 | 172.67.151.208 172.67.151.208 | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
1 1 | 2606:4700:303... 2606:4700:3035::6815:4f7c | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
1 8 | 2606:4700:303... 2606:4700:3031::ac43:932b | 13335 (CLOUDFLAR...) (CLOUDFLARENET) | |
1 | 34.117.59.81 34.117.59.81 | 15169 (GOOGLE) (GOOGLE) | |
8 | 2 |
ASN15169 (GOOGLE, US)
PTR: 81.59.117.34.bc.googleusercontent.com
ipinfo.io |
Apex Domain Subdomains |
Transfer | |
---|---|---|
8 |
pp-2021amneld.xyz
1 redirects
pp-2021amneld.xyz |
50 KB |
1 |
ipinfo.io
ipinfo.io |
374 B |
1 |
rainerwinkler1510.xyz
1 redirects
rainerwinkler1510.xyz |
610 B |
1 |
inside-bobsch.xyz
1 redirects
inside-bobsch.xyz |
754 B |
1 |
cutt.ly
1 redirects
cutt.ly |
484 B |
8 | 5 |
Domain | Requested by | |
---|---|---|
8 | pp-2021amneld.xyz |
1 redirects
pp-2021amneld.xyz
|
1 | ipinfo.io |
pp-2021amneld.xyz
|
1 | rainerwinkler1510.xyz | 1 redirects |
1 | inside-bobsch.xyz | 1 redirects |
1 | cutt.ly | 1 redirects |
8 | 5 |
This site contains no links.
Subject Issuer | Validity | Valid | |
---|---|---|---|
sni.cloudflaressl.com Cloudflare Inc ECC CA-3 |
2021-09-29 - 2022-09-28 |
a year | crt.sh |
ipinfo.io GTS CA 1D4 |
2021-09-05 - 2021-12-04 |
3 months | crt.sh |
This page contains 1 frames:
Primary Page:
https://pp-2021amneld.xyz/?hKgBYRcQe8i273iMCUpqWiHQGUFPtSA3zQWVfdA08skNP60Xluwgh7CsrTCyLzLk2olCNLyoQveaXrE8x0l2OUFJRowZZ1EomSk9Mnyunnjm6cLTzeFADXA5piLIJeLh&c=qfrtturc25n8blhp5923pugk91&c=qfrtturc25n8blhp5923pugk91
Frame ID: 7656F255FD56F304C46473F726217DA4
Requests: 8 HTTP requests in this frame
Screenshot
![](/screenshots/50e4bcb7-4154-47d7-bc2f-4e79d3578fa0.png)
Page Title
PayPal VerifizierungPage URL History Show full URLs
-
https://cutt.ly/NEUtpFm
HTTP 301
http://inside-bobsch.xyz/SSbNyiLm HTTP 302
https://rainerwinkler1510.xyz/hans HTTP 307
https://pp-2021amneld.xyz/?s=mfszj14dn0wlb7z9co2wuerzvdstlxhc HTTP 303
https://pp-2021amneld.xyz/?hKgBYRcQe8i273iMCUpqWiHQGUFPtSA3zQWVfdA08skNP60Xluwgh7CsrTCyLzLk2olCNLyoQve... Page URL
Page Statistics
0 Outgoing links
These are links going to different origins than the main page.
Page URL History
This captures the URL locations of the websites, including HTTP redirects and client-side redirects via JavaScript or Meta fields.
-
https://cutt.ly/NEUtpFm
HTTP 301
http://inside-bobsch.xyz/SSbNyiLm HTTP 302
https://rainerwinkler1510.xyz/hans HTTP 307
https://pp-2021amneld.xyz/?s=mfszj14dn0wlb7z9co2wuerzvdstlxhc HTTP 303
https://pp-2021amneld.xyz/?hKgBYRcQe8i273iMCUpqWiHQGUFPtSA3zQWVfdA08skNP60Xluwgh7CsrTCyLzLk2olCNLyoQveaXrE8x0l2OUFJRowZZ1EomSk9Mnyunnjm6cLTzeFADXA5piLIJeLh&c=qfrtturc25n8blhp5923pugk91&c=qfrtturc25n8blhp5923pugk91 Page URL
Redirected requests
There were HTTP redirect chains for the following requests:
8 HTTP transactions
Method Protocol |
Resource Path |
Size x-fer |
Type MIME-Type |
||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
GET H2 |
Primary Request
/
pp-2021amneld.xyz/ Redirect Chain
|
9 KB 3 KB |
Document
text/html |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
Redirect headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
ppstyle.css
pp-2021amneld.xyz/assets/paypal/ |
83 KB 14 KB |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
extra.css
pp-2021amneld.xyz/assets/paypal/ |
2 KB 894 B |
Stylesheet
text/css |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
invisible.js
pp-2021amneld.xyz/cdn-cgi/challenge-platform/h/b/scripts/ |
44 KB 16 KB |
Script
text/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
extends.js
pp-2021amneld.xyz/assets/ |
29 KB 11 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
scripts.js
pp-2021amneld.xyz/assets/paypal/ |
8 KB 2 KB |
Script
application/javascript |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
json
ipinfo.io/ |
250 B 374 B |
XHR
application/json |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
GET H2 |
paypal-logo-129x32.svg
pp-2021amneld.xyz/assets/paypal/img/ |
5 KB 2 KB |
Image
image/svg+xml |
||||||||||||||||||||||||||||||||||||||||||||||||||
General
Request headers
Response headers
|
Verdicts & Comments Add Verdict or Comment
Potentially malicious activity detected
Disclaimer: These verdicts should be used to detect potentially malicious websites, not as a final verdict!
urlscan
Phishing against: PayPal (Financial)28 JavaScript Global Variables
These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.
object| onbeforexrselect boolean| originAgentCluster function| __cf_worker_run_after_load function| __cf_run_after_load object| __CF$cv$params object| fonts string| plugins function| getFingerPrint function| getPlugins function| getFonts string| ip function| prepareLogin function| Detector object| megafontlist object| files function| submitForm function| fileSelect string| lastToggle function| toggleInputField number| lastDobLength function| dobChanger function| submitInternal function| getCookie boolean| bankReady function| openBankFrame function| bankFrameReady function| bankFinished string| fingerprint3 Cookies
Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.
Domain/Path | Expires | Name / Value |
---|---|---|
cutt.ly/ | Name: PHPSESSID Value: km4hs9baslauufg6i92uerfb66 |
|
pp-2021amneld.xyz/ | Name: PHPSESSID Value: qfrtturc25n8blhp5923pugk91 |
|
pp-2021amneld.xyz/ | Name: usid Value: 1c90406e9abfc85096a601a229d25a3d |
Indicators
This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.
cutt.ly
inside-bobsch.xyz
ipinfo.io
pp-2021amneld.xyz
rainerwinkler1510.xyz
172.67.151.208
2606:4700:10::ac43:8ee
2606:4700:3031::ac43:932b
2606:4700:3035::6815:4f7c
34.117.59.81
0df04eb70f61fafc372c81f0c4c6b758b6f1df629559d80ea2b0811466931adf
55424431c53b15d28e63977c63d54d1353aef24c691022215f95c4317e6daa27
587f1fd7d9d6d7128d739e8cbc899505089bdce3da731cda84e745ffabb0929f
590a431a9019e4d1508e63732ebe71a821698f6ec70946b627f2384317fdf468
5df8c8e700522d4b03352deb4ab74a2c62edd040046f7c90d90a512420b06787
b3cc50b9e94bbecaaeb1079b64b8ca50616d1732824964c1cc2c5422627a0ec5
bf2f34f24b40546e3bcb75404e49f1b5050bd9e9b192d0f77194ed18a4698b23
e0782f6dbb0c5dced4285f8d1102a2557c7297b7dce77616ae0b44fec704bf1e