Static Analysis of


Recently became viral on the Philippines when Filipino Facebook users started sending their own customized New Year’s Greetings to their Facebook Friends.

Note: This Analysis is focused on the web application of to see if there is anything malicious. landing page

Bruteforcing the Subdomain, gives us 3 results. – – –                

dnscan subdomain bruteforce

Upon Checking on threatcrowd, uses 2 proxy ip’s from cloudflare which is and

this means that, under the ip address of and several websites are also using the same ip address mentioned above.

if one of those websites are malicious, the ip address and will be automatically flagged as malicious by Online Scanners.

I tried looking for suspicious javascript files (.js) used by the web application but i couldn’t find any.

The Web Application also uses Deep Links for mobile users to share their WishCard on whatsapp and Facebook Messenger.

if you clicked share, this will basically open a hyperlink called whatsapp:// and fb-messenger:// and will open whatsapp and fb-messenger for you to share the WishCard you Created.

<a class="footerbtn" href="whatsapp://send?text=👌 *testing* *Send You a Surprising message* 🎁 %0AOpen this %0A 👇👇 %0A %0A"><img width="25px" height="25px" src="wp.png" /><b style="font-size: 15px;"> Click here to share on Whatsapp </b> <img width="25px" height="25px" src="wp.png" /></a>
<a href="fb-messenger://share/?" data-os="Facebook Messenger"><img src="../wow/messenger.png" style="animation: tada 2s infinite;margin-top:5px;height: 50px;width:50px;"></a>

Going Back to, to have more information about i decided to bruteforce the web directory using dirsearch.

dirsearch directory bruteforce

However i was only able to find a directory called “mysql”

Checking the contents of

By Visiting this gives us the idea that the directory “/mysql” is PHPMyAdmin.

Google Analytics

Google Adsense


During this static analysis, i didn’t find to be malicious why?

1.) There are no Malicious Javascript Files used in the Web Application.
a.) is being called by

As of December 31 2019

2.) only ask for your name, and it uses Deeplinks to share the Wishcard you created.
3.) You find the IP Address and malicious? c’mon dude. We both know that most of the cybercriminals uses CloudFlare for their Protection.
4.) The Web Application doesn’t use CryptoMiners but relies on google Adsense to earn money.
5.) No WhitePaper or Documentation about the said “Unverified Threat Advisory”.

The Web App may not be malicious, but please be more vigilant dont click unknown links, dont open uknown attachments and always update your web browsers, operating system and anti-virus to their latest versions.

Happy Holidays!

Thanks to Rodel Plasabas, For the Heads Up!

You may also want to check out the analysis of JP Lita on

Comments are closed.