context safety score
A score of 33/100 indicates multiple risk signals were detected. This entity shows patterns commonly associated with malicious intent.
encoded payload
suspicious base64-like blobs detected in page content
phishing
1 deceptive links where visible host does not match destination host
obfuscated code
The very first script in <head> (data-cfasync='false') contains a heavily obfuscated self-executing function using percent-encoded strings, character-code shifting arithmetic, and a large lookup table to dynamically construct and inject code at runtime. The decoded logic maps to ad-network fingerprinting and redirect orchestration. This pattern is consistent with malvertising loaders used to serve drive-by redirects or popunders to visitors. (location: page.html line 12 — inline <script data-cfasync='false'> (first script block in <head>))
malicious redirect
An external script is loaded from //driverhugoverblown.com/on.js — a domain whose name ('driver huge overblown') is a nonsense string typical of randomly generated malvertising CDN domains. The script is loaded asynchronously with onerror/onload callbacks tied to an obfuscated function (obgow), indicating it is a traffic-distribution or redirect payload. This is a high-confidence malicious third-party script inclusion. (location: page.html line 13 — <script src='//driverhugoverblown.com/on.js'>)
obfuscated code
A second large obfuscated script block appears near the footer (data-cfasync='false'), implementing a hexadecimal-encoded string-lookup obfuscation pattern (R(K,h), X() function, 0x-prefixed constants, infinite while(true) loop with try/catch array rotation). This is the standard 'array rotation' obfuscation used by malvertising injectors to hide the construction of ad-network URLs, tracking beacons, and redirect logic from static analysis. (location: page.html line 1978 — inline <script data-cfasync='false'> (footer script block))
brand impersonation
The page operates under the domain masa49.com but presents itself as 'MasaLoL.Com' in the title and header, while simultaneously claiming to be 'MasaFun.Net' in og:site_name, Schema.org structured data, and the author meta tag ('Masahub.com'). The canonical URL points to masa49.com, the og:url points to masafun.com, and the footer 'Home' link goes to masafun.com. This multi-brand identity confusion is used to impersonate or trade on the reputation of related domains (MasaFun, MasaHub, MasaLoL) and to obscure the true operator identity from both users and automated crawlers. (location: page.html lines 17, 24, 27, 84, 88, 97, 141, 160, 1967)
hidden content
The page contains a 1x1 pixel invisible iframe injected by Cloudflare's challenge platform script at the very bottom of the body. While this specific instance is the standard CF bot-detection mechanism, the iframe is created with visibility:hidden, position:absolute, top:0/left:0, and injects a child script dynamically — a pattern also used by malvertising iframes to silently load third-party payloads. Combined with the other obfuscated scripts on this page, this warrants flagging. (location: page.html line 1993 — Cloudflare iframe injection script at end of <body>)
hidden content
The page embeds verification tokens for multiple ad networks simultaneously: Clickaine (x2 duplicate entries), HilltopAds (x2 duplicate entries), DaoPush, ExoClick, and MediaAds (maValidation x2). The presence of push-notification ad network verifications (DaoPush, Clickaine) is significant — these networks are frequently used to socially-engineer users into granting browser push notification permissions, which are then exploited for persistent spam and phishing delivery long after the user leaves the site. (location: page.html lines 68–78 — meta verification tags for DaoPush, Clickaine, ExoClick, HilltopAds, maValidation)
social engineering
The site is verified with DaoPush and Clickaine push-notification ad networks (meta tags present). These networks display browser-native permission dialogs ('Allow notifications from masa49.com?') styled to appear as age-verification or content-unlock prompts on adult sites. Users who grant permission receive persistent push notifications used for spam, fake prize scams, and phishing lures — a well-documented social engineering vector on adult content sites. (location: page.html lines 71, 72 — meta name='daopush-site-verification' and meta name='clickaine-site-verification')
brand impersonation
The page sets duplicate and conflicting meta tags: two separate og:locale, og:type, og:description, and og:site_name declarations with different values (one set claiming 'MasaFun.Net', another with empty site_name). This meta-tag stuffing with conflicting brand identifiers is used to game social media preview scrapers and SEO crawlers into associating the page with multiple brand identities simultaneously. (location: page.html lines 22–27 and lines 80–83 — duplicate conflicting Open Graph meta tags)
curl https://api.brin.sh/domain/masa49.comCommon questions teams ask before deciding whether to use this domain in agent workflows.
masa49.com currently scores 33/100 with a suspicious verdict and low confidence. The goal is to protect agents from high-risk context before they act on it. Treat this as a decision signal: higher scores suggest lower observed risk, while lower scores mean you should add review or block this domain.
Use the score as a policy threshold: 80–100 is safe, 50–79 is caution, 20–49 is suspicious, and 0–19 is dangerous. Teams often auto-allow safe, require human review for caution/suspicious, and block dangerous.
brin evaluates four dimensions: identity (source trust), behavior (runtime patterns), content (malicious instructions), and graph (relationship risk). Analysis runs in tiers: static signals, deterministic pattern checks, then AI semantic analysis when needed.
Identity checks source trust, behavior checks unusual runtime patterns, content checks for malicious instructions, and graph checks risky relationships to other entities. Looking at sub-scores helps you understand why an entity passed or failed.
brin performs risk assessments on external context before it reaches an AI agent. It scores that context for threats like prompt injection, hijacking, credential harvesting, and supply chain attacks, so teams can decide whether to block, review, or proceed safely.
No. A safe verdict means no significant risk signals were detected in this scan. It is not a formal guarantee; assessments are automated and point-in-time, so combine scores with your own controls and periodic re-checks.
Re-check before high-impact actions such as installs, upgrades, connecting MCP servers, executing remote code, or granting secrets. Use the API in CI or runtime gates so decisions are based on the latest scan.
Learn more in threat detection docs, how scoring works, and the API overview.
Assessments are automated and may contain errors. Findings are risk indicators, not confirmed threats. This is a point-in-time assessment; security posture can change.
integrate brin in minutes — one GET request is all it takes. query the api, browse the registry, or download the full dataset.