Is shrmha.com safe?

encoded payload

suspicious base64-like blobs detected in page content

phishing

1 deceptive links where visible host does not match destination host

cloaking

Page checks user-agent for bot/crawler strings to serve different content

cloaking

Page conditionally redirects based on referrer or user-agent

js obfuscation

JavaScript uses Function constructor for runtime code generation

malicious redirect

Two external scripts loaded from 'diagnosedecorationvideotape.com' — a suspicious, obfuscated-looking domain unrelated to any legitimate ad network. One script (code-block-3) uses a heavily obfuscated path with mixed-case characters and underscores: '//diagnosedecorationvideotape.com/gz7dsHq/8S4/-TX-ZLzVzf/Rai1w0Fx/dBy7/_Tf3HLoPcco3qwMY6g/1_eHj3yhr3ZFglHAOB-/kpDXhAZrqU/tDP/7C_liNmGseaj0ev/edaWnRURvhKFFYqe/QFFl/kP1o/Kj3P'. The second script (code-block-2) loads 'invoke.js' from the same domain keyed with '8438ea1a6cfda4427707358311de6ae1'. These scripts execute with full page access and can redirect users, inject pop-ups, or deliver malware payloads. (location: page.html:845 and page.html:954)

obfuscated code

The page embeds custom base64 encode/decode functions (b2a, a2b, b64e, b64d) alongside the AI insertion plugin (Ad Inserter). These functions are used at runtime to decode and inject arbitrary HTML/JavaScript content into the page DOM via 'createContextualFragment'. The b64d function decodes base64 strings and inserts them as live script fragments, making it impossible to statically analyze what code will be executed without runtime evaluation. (location: page.html:969-971 and page-text.txt:826-828)

malicious redirect

The footer copyright link points to 'https://https://t7t-al7zam.com/...' (note the double 'https://' scheme — a URL construction anomaly) redirecting users to an external domain 't7t-al7zam.com' rather than the site's own domain. The 'Contact Us' button also redirects to this external domain. This indicates the site operator is funneling users to a separate third-party site. (location: page.html:941, page.html:925)

social engineering

The site prominently promotes multiple external adult content sites in header, body, and footer widgets with calls-to-action like '>>' directing users to arabgy.com, nafakarab.com, shraraa.com, t7t-al7zam.com, and sokoosoko.com. This affiliate/traffic-funneling pattern is a common social engineering technique to drive users to potentially higher-risk third-party sites without clear disclosure. (location: page.html:912-920, page-text.txt:769-777)

hidden content

The Ad Inserter plugin ('ai-viewport' CSS classes) uses viewport-based display logic with 'display: none !important' and absolute positioning off-screen (top: -1000px, z-index: -9999) for elements with classes 'ai-list-data', 'ai-ip-data', 'ai-filter-check', 'ai-fallback'. These hidden elements are processed at runtime and can contain encoded ad or redirect payloads injected into the visible DOM based on user IP, cookies, referrer, or device type — content invisible to static scanners. (location: page.html:133-134)

obfuscated code

The Ad Inserter plugin stores ad payloads as base64-encoded strings in 'data-code' and 'data-fallback-code' HTML attributes, then decodes and injects them at runtime using b64d() and createContextualFragment(). This allows arbitrary script injection that bypasses static content analysis. The plugin also reads and manipulates cookies ('aiBLOCKS') to track user behavior across sessions and conditionally serve different content. (location: page.html:844-895 (Ad Inserter JS blocks))

social engineering

The Telegram channel 'https://t.me/arab_naar' is listed in the site's schema.org Organization 'sameAs' field, linking the site's official identity to a Telegram channel. Telegram channels associated with adult content aggregators are commonly used to harvest follower data, distribute malware links, or conduct direct social engineering against subscribers. (location: page.html:24 (schema.org JSON-LD, sameAs field))