# PhishDestroy threat dossier — n4zt-2ho6-4s85.adobe-signature-sharedoc-mail-com-s-account.workers.dev ================================================================ Fetched: 2026-06-21 01:18:14 UTC Canonical: https://phishdestroy.io/domain/n4zt-2ho6-4s85.adobe-signature-sharedoc-mail-com-s-account.workers.dev/ ## VERDICT ---------------------------------------------------------------- ACTIVE THREAT — multiple warning signs Composite threat score: 58/100 (PhishDestroy scoring — see methodology below) ## DETECTION EVIDENCE ---------------------------------------------------------------- VirusTotal: 12/94 security vendors flagged this domain Flagging vendors: AlphaSOC, Chong Lua Dao, CyRadar, ESET, G-Data, Gridinsoft, LevelBlue, Lionic, MalwareURL, Sophos, URLQuery, VIPRE, Webroot Public blocklists: listed on 1 independent blocklist ## INFRASTRUCTURE ---------------------------------------------------------------- IP address: 188.114.97.3 (CA, Toronto) ASN: AS13335 Cloudflare, Inc. Hosting org: CloudFlare, Inc. Registrar: Cloudflare Workers Registered: 2026-04-14 HTTP response: 500 ## TLS CERTIFICATE ---------------------------------------------------------------- Issuer: Let's Encrypt / E7 Expires: 2026-06-19 Status: INVALID chain Fingerprint: 07950bed54db1db56f87735dae42ba44bd2cd4750b8269aa2b0d694276bd2e14 Subject Alternative Names (related infrastructure — often same operator): - adobe-signature-sharedoc-mail-com-s-account.workers.dev ## ABUSE-REPORT HISTORY (evidence of registrar non-response) ---------------------------------------------------------------- Status: pending notification queue. No abuse reports filed yet — this domain is waiting for the next cycle of our automated abuse-reporter. ## TIMELINE ---------------------------------------------------------------- Domain registered: 2026-04-14 (per WHOIS / CT — may reflect a renewal or transfer date, not first-ever registration) First detected: 2026-04-14 17:30:04 UTC (by PhishDestroy tracker) First reported: 2026-06-15 03:06:14 UTC (abuse notice filed) Last verified: 2026-06-21 01:45:29 UTC Current status: ACTIVE / observable ## ANALYST NARRATIVE ---------------------------------------------------------------- [Generated: 2026-06-18 17:25:46 UTC — narrative may predate facts above. Treat fields in TIMELINE / DETECTION EVIDENCE / INFRASTRUCTURE as authoritative if they differ from the prose below.] This domain poses a high risk as a credential phishing threat, specifically designed to steal login credentials by impersonating Adobe Sign. The site mimics legitimate Adobe document-sharing workflows to trick users into entering their email and password. PhishDestroy assesses this threat as active and severe, given its sophisticated targeting and low detection rate among security vendors. Technical indicators reveal that the domain was created on April 14, 2026, and is registered through Cloudflare Workers, a service often abused for phishing due to its ease of deployment. It resolves to IP 188.114.97.3 and uses a Let's Encrypt SSL certificate (E7), which provides a false sense of security. VirusTotal data shows that 12 out of 95 security vendors flag this domain, while it appears on one security blocklist. These factors collectively indicate a well-crafted phishing campaign with a moderate chance of evading traditional filters. To mitigate this threat, users should never enter credentials on sites accessed via unsolicited links, especially those with long, convoluted subdomains. Always verify the URL by manually typing 'adobe.com' into the browser. Enable multi-factor authentication on all Adobe accounts to add an extra layer of protection. Report any suspicious emails or links to Adobe's security team and use PhishDestroy's domain checker to validate unknown URLs before interacting. ## EVIDENCE HASHES ---------------------------------------------------------------- Favicon MD5: fe06af3bda5ebf359d0f251fa1ee492e TLS cert SHA-256: 07950bed54db1db56f87735dae42ba44bd2cd4750b8269aa2b0d694276bd2e14 ## SCORING METHODOLOGY ---------------------------------------------------------------- Composite score is NOT derived from VirusTotal alone. PhishDestroy aggregates: - VirusTotal positive ratio - Public blocklist consensus (MetaMask, ScamSniffer, OpenPhish, PhishTank, URLhaus, CryptoFirewall, SEAL, Polkadot, Enkrypt, Phishunt, DiscordPhishing, PhishingDB) - Cloaking detection (HTTP 666 or rendering delta between bot and real visitor) - DNS-filter consensus (Quad9, CleanBrowsing, NextDNS, AdGuard, Cloudflare, etc.) - AlienVault OTX pulses + Cloudflare Radar + Google Safe Browsing - URLScan / URLQuery verdicts - Brand-impersonation heuristics (DOM analysis of forms, logos, wording) - Known phishing-kit fingerprinting (favicon hash, JS obfuscation signatures) - Wallet-drainer family classification (Angel, MS, Rainbow, Pink, Inferno, ...) - Free-TLS vs paid-cert ratio (throwaway infrastructure signal) - Registrar/hosting abuse history (this registrar's track record) - Human researcher sign-off (volunteer takedown team) A domain present in our database is ALREADY flagged. A low VT count by itself does NOT mean the domain is safe — new scam domains routinely show 0/95 VT for their first 7–30 days while actively draining wallets. Always cross-reference the composite score and the individual indicators above, not just VT. ## CORRECTIONS / APPEALS ---------------------------------------------------------------- Full HTML report: https://phishdestroy.io/domain/n4zt-2ho6-4s85.adobe-signature-sharedoc-mail-com-s-account.workers.dev/ JSON API: https://api.destroy.tools/v1/check?domain=n4zt-2ho6-4s85.adobe-signature-sharedoc-mail-com-s-account.workers.dev Appeal a flag: https://phishdestroy.io/appeals/ (responded to within 48 hours, FP rate <0.01%) Submit a report: https://t.me/PhishDestroy_bot About PhishDestroy: volunteer-driven open-source threat-intelligence platform. Tracked: 167,118 domains (16,029 alive under monitoring, 150,758 confirmed takedowns/dead). Site: https://phishdestroy.io