petrobras.itsmoney.com.br

https://petrobras.itsmoney.com.br

185.158.133.1 · DET FRA

Location

Frankfurt am Main, Germany

Domain Age

1322 days

HTTP

200 · 33.6s

SSL

Valid· E8, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Petrobras - It's Money | Relatório"

Save

Registered-domain escalation

Submit itsmoney.com.br as the primary IOC, enriched with evidence from hostile subdomains like petrobras.itsmoney.com.br.

KB/IOK Matches (0)—

No KB/IOK detections were recorded for this scan.

Petrobras

Unknown

finance | technology | ecommerce | government | others · 4/5/2026

Summary

The page presents Petrobras branding and the title Petrobras - It's Money | Relatório, but the domain is petrobras.itsmoney.com.br, which is not the official Petrobras domain. External scripts and analytics loading from widely used trackers (Facebook Pixel, Google Tag Manager) are present. The SPA-like structure renders forms dynamically, but static HTML has no login fields. Evidence suggests potential impersonation/cloaking rather than confirmed credential harvesting on the official Petrobras site, given the non-official domain and Lovable-generated project branding in the page metadata and assets. The page appears to be cloaked or cloaking-like content designed to mimic Petrobras branding while hosted on a third-party domain. Analyst flagged likely cloaking/evasion behavior for this target. Analyst context noted: Analyst note: this target may cloak content or block scanners.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸POST targets observed during capture: https://www.google.com/ccm/collect?frm=0&ae=g&en=page_view&dl=https%3A%2F%2Fpetrobras.itsmoney.com.br%2F&scrsrc=www.googletagmanager.com&rnd=162841704.1775175150&dt=Petrobras%20-%20It%27s%20Money%20%7C%20Relat%C3%B3rio&auid=145279239.1775175150&navt=n&npa=0&ep.ads_data_redaction=0&gtm=45He6411v9225142729za200zd9225142729xea&gcd=13l3l3l3l1l1&dma=0&tag_exp=0~115938465~115938468~116991817~117384405~118128922&apve=1&apvf=f&apvc=1&tft=1775175149619&tfd=957, https://www.google.com/rmkt/collect/17359388281/?random=1775175150212&cv=11&fst=1775175150212&fmt=8&bg=ffffff&guid=ON&async=1&en=gtag.config&gtm=45be6411v9225722271z89225142729za20gzb9225142729zd9225142729xec&gcd=13t3t3t3t5l1&dma=0&tag_exp=0~115938465~115938469~116991816~117884344~118328143&u_w=1280&u_h=720&url=https%3A%2F%2Fpetrobras.itsmoney.com.br%2F&frm=0&tiba=Petrobras%20-%20It%27s%20Money%20%7C%20Relat%C3%B3rio&hn=www.googleadservices.com&npa=0&pscdl=noapi&auid=145279239.1775175150&uaa=x86&uab=64&uafvl=Not%253AA-Brand%3B99.0.0.0%7CHeadlessChrome%3B145.0.7632.6%7CChromium%3B145.0.7632.6&uamb=0&uam=&uap=Windows&uapv=10.0&uaw=0&data=event%3Dgtag.config&gcp=5, https://www.google.com/ccm/collect?frm=0&en=page_view&dl=https%3A%2F%2Fpetrobras.itsmoney.com.br%2F&scrsrc=www.googletagmanager.com&rnd=162841704.1775175150&dt=Petrobras%20-%20It%27s%20Money%20%7C%20Relat%C3%B3rio&auid=145279239.1775175150&navt=n&npa=0&gtm=45be6411v9225722271z89225142729za20gzb9225142729zd9225142729xec&gcs=G111&gcd=13t3t3t3t5l1&dma=0&tag_exp=0~115938465~115938469~116991816~117884344~118328143&apve=1&apvf=f&apvc=0&tids=AW-17359388281~AW-17391944755&tid=AW-17359388281&tft=1775175150282&tfd=1619.

▸Distinctive asset clues: ~flock.js, fbevents.js, index-GP47excm.css, b1481316-4ac9-4264-a23a-9d09646e0b00.png, a51d3b20-a210-40e6-a69a-d0c4de89e857.png.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 0

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 34

Hosts: 9

Domains: 7

Suspicious Endpoints

hxxps://petrobras[.]itsmoney[.]com[.]br/~api/analytics

Attack Techniques (3)

Analyst-flagged cloaking/evasion behaviorBrand impersonation signals via page title and Petrobras branding on a non-official domainSPA/JS-driven credential capture possibility inferred from 0 static forms but multiple external script loads and analytics

Indicators of Compromise (0)

No specific IOCs identified in source

Risk AssessmentUsed in abuse reports

The scan indicates potential impersonation cloaking on a non-official domain using Petrobras branding. The domain is not Petrobras.com.br or an official Petrobras subdomain, yet the page presents Petrobras visuals and a Petrobras-like Brazilian report offer. The presence of dynamic credential-collection UI within SPA logic is plausible but not confirmed in static HTML; combined with the analyst note about cloaking and the heavy analytics/advertising script suite, this site presents a credible impersonation risk. Recommend monitoring and further verification of ownership, and considering takedown or blocking if corroborated as phishing/counterfeit content. Analyst-reported cloaking/evasion suspicion increases confidence that the operator is actively attempting to evade automated security analysis. Analyst context was provided and corroborated during this assessment (Analyst note: this target may cloak content or block scanners.).

Recommended Action

Suspend Domain

Cross-Reference8

URL Intelligence