{
	"id": "40f68f19-8948-433a-a756-03f43cbf754d",
	"created_at": "2026-04-06T00:07:50.065812Z",
	"updated_at": "2026-04-10T03:31:48.829143Z",
	"deleted_at": null,
	"sha1_hash": "0c6ff5129dd99187cade1e7add7565d0e70dd556",
	"title": "Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2908449,
	"plain_text": "Operation EmailThief: Active Exploitation of Zero-day XSS\r\nVulnerability in Zimbra\r\nBy mindgrub\r\nPublished: 2022-02-03 · Archived: 2026-04-05 16:49:59 UTC\r\n[UPDATE] On February 4, 2022, Zimbra provided an update regarding this zero-day exploit vulnerability and\r\nreported that a hotfix for 8.8.15 P30 would be available on February 5, 2022. This vulnerability was later assigned\r\nCVE-2022-24682 and was fixed in version 8.8.15P30 Update 2 of Zimbra Collaboration Suite.\r\nIn December 2021, through its Network Security Monitoring service, Volexity identified a series of targeted spear-phishing campaigns against one of its customers from a threat actor it tracks as TEMP_Heretic. Analysis of the\r\nemails from these spear phishing campaigns led to a discovery: the attacker was attempting to exploit a zero-day\r\ncross-site scripting (XSS) vulnerability in the Zimbra email platform. Zimbra is an open source email platform\r\noften used by organizations as an alternative to Microsoft Exchange.\r\nThe campaigns came in multiple waves across two attack phases. The initial phase was aimed at reconnaissance\r\nand involved emails designed to simply track if a target received and opened the messages. The second phase\r\ncame in several waves that contained email messages luring targets to click a malicious attacker-crafted link. For\r\nthe attack to be successful, the target would have to visit the attacker’s link while logged into the Zimbra webmail\r\nclient from a web browser. The link itself, however, could be launched from an application to include a thick\r\nclient, such as Thunderbird or Outlook. Successful exploitation results in the attacker being able to run arbitrary\r\nJavaScript in the context of the user’s Zimbra session. Volexity observed the attacker attempting to load JavaScript\r\nto steal user mail data and attachments. An overview of the full attack is given in Figure 1:\r\nhttps://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/\r\nPage 1 of 15\n\nFigure 1. Overview of attack phases\r\nWhile Volexity only observed TEMP_Heretic attempting email and attachment theft, the vulnerability could easily\r\nallow an attacker to perform other actions in the context of the user’s Zimbra webmail session, such as the\r\nfollowing:\r\nExfiltrate cookies to allow persistent access to a mailbox.\r\nSend further phishing messages to a user’s contacts.\r\nPresent a prompt to download malware in the context of a trusted website.\r\nAt the time of writing, this exploit has no available patch, nor has it been assigned a CVE (i.e., this is a zero-day\r\nvulnerability). Volexity can confirm and has tested that the most recent versions of Zimbra—8.8.15 P29 \u0026 P30—\r\nremain vulnerable; testing of version 9.0.0 indicates it is likely unaffected. Based on BinaryEdge data,\r\napproximately 33,000 servers are running the Zimbra email server, although the true number is likely to be higher.\r\nAccording to Zimbra, there are 200,000 businesses, and over a thousand government and financial institutions,\r\nusing the software.\r\nVolexity has also been unable to attribute the observed activity to a previously known threat actor. However, based\r\non a number of observed factors, Volexity believes the attacker is likely Chinese in origin. Volexity has observed\r\nTEMP_HERETIC targeting organizations in the following sectors:\r\nEuropean Government\r\nMedia\r\nSpear-phishing Campaigns\r\nSpear-phishing messages observed by Volexity were sent over a period of two weeks in December 2021 using 74\r\nunique outlook.com email addresses created by the attacker. While there were variances, emails were frequently\r\nhttps://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/\r\nPage 2 of 15\n\nformatted as \u003cfirstname\u003e_\u003clastname\u003e\u003cnumbers\u003e@outlook.com or \u003cfirstname\u003e\u003clastname\u003e\r\n\u003cnumbers\u003e@outlook.com. The attacker used names commonly used as feminine names for all the personas they\r\ncreated regardless of the email address, as observed from the email-friendly name field. The pattern of sending\r\ntimes suggests the attacker may have manually crafted content for each email before sending it, as they were often\r\nsent to consecutive recipients with gaps of a few minutes. Volexity was able to track all the messages\r\nTEMP_HERETIC sent and found the attacker conducted a single reconnaissance wave followed by multiple\r\nwaves aimed at compromising email data.\r\nReconnaissance\r\nThe initial phase of the attack came in the form of spear-phishing campaign sent on December 14, 2021, UTC. It\r\ndid not involve any type of social engineering lure outside of attempting to get the user to view or open the email.\r\nThis first wave simply embedded remote images in the body of email messages.  These emails contained no\r\ncontent other than the remote image and had generic subjects often associated with non-targeted spam. Below are\r\na list of the subject line topics used for the initial reconnaissance emails.\r\nInvitations\r\nRefunds for airline tickets\r\nWarnings\r\n\u003cno subject\u003e\r\nThe image links in each email were unique per target. This was likely done to test the validity of email addresses,\r\nand to determine which accounts were more likely to open phishing email messages. However, Volexity ultimately\r\ndid not note any correlation between reconnaissance emails and follow-on spear-phishing campaigns. Examples of\r\nURLs to remote images are shown below:\r\nhxxp://fireclaws.spiritfield[.]ga/[filename].jpeg?[integer]\r\nhxxp://feralrage.spiritfield[.]ga/[filename].jpeg?[integer]\r\nhxxp://oaksage.spiritfield[.]ga/[filename].jpeg?[integer]\r\nhxxp://claygolem.spiritfield[.]ga/[filename].jpeg?[integer]\r\nThe [integer] at the end of each URL was used to identify the specific victim. The subdomains were found to be\r\nunique per email, but it is unknown why they were chosen. Gaming enthusiasts may recognize that the\r\nsubdomains correspond to the names of spells from the game Diablo II.\r\nMalicious Emails\r\nIn the second attack phase, Volexity observed multiple spear-phishing campaigns run on December 16, 23, 24, and\r\n27, 2021. In these campaigns, the attacker embedded links to attacker-controlled infrastructure. In some cases, it\r\nappears more of an effort was made to craft a lure that was more enticing to the targeted individual. Two different\r\nthemes were used in the first wave of attacks. The first theme was interview requests purporting to be from\r\nvarious news organizations such as Agence France-Presse (AFP) and BBC. The second theme was invitations to a\r\ncharity auction hosted by Sotheby’s. In once instance, the attacker used the same “Jacqueline Martin” email\r\nhttps://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/\r\nPage 3 of 15\n\naddress, where Jacqueline was used to represent both BBC and Sotheby’s. Examples of these messages are shown\r\nbelow.\r\nFigure 2. Example phishing email using human-rights themed targeting\r\nhttps://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/\r\nPage 4 of 15\n\nFigure 3. Example phishing email using an auction theme\r\nHowever, not all content was custom or otherwise made to stand out to the targets. The spear-phishing waves that\r\nfollowed were largely generic and mostly themed around the holiday season, notably purporting to be from\r\nvarious airlines or Amazon. The attacker sent numerous emails with Christmas and New Years greetings\r\npurporting to be from Air France, British Airways, Iberia Airways, Lufthansa, Southwest Airlines, and United\r\nAirlines. The attacker sent similar holiday greetings purporting to be from Amazon but also sent generic messages\r\ninviting the user to try Amazon Prime or get discounts on their purchases. Examples of these phishing messages\r\nare shown below.\r\nhttps://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/\r\nPage 5 of 15\n\nFigure 4. Phishing email using Amazon Prime trial theme\r\nhttps://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/\r\nPage 6 of 15\n\nFigure 5. Christmas themed phishing email\r\nSubsequent waves from attack phase of the spear phishing campaigns used a similar URI pattern but with a\r\nconsistent subdomain. The format is given below:\r\nhxxps://update.secretstep[.]tk/[filename].jpeg?u=[integer]\u0026t=[second_integer]\r\nThe second integer in this case was used to denote the target organization. Upon clicking the malicious link, the\r\nattacker infrastructure would attempt a redirect to a page on the targeted organization’s Zimbra webmail host, with\r\na specific URI format which—if the user is logged in—exploits a vulnerability allowing an attacker to load\r\narbitrary JavaScript in the context of a logged-in Zimbra session. Since there is no available patch for this\r\nvulnerability, Volexity is not currently disclosing the required URI pattern required for successful exploitation. A\r\nbeautified and marked-up copy of the code loaded by the attacker is given here.\r\nThe functionality of the attacker code is simple:\r\nIterate through each email in the user’s inbox and sent folders.\r\nFor each email encountered, send the email body and any attachments to the configured callback address\r\n(mail.bruising-intellect[.]ml) via HTTP POST requests.\r\nhttps://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/\r\nPage 7 of 15\n\nA screenshot of the main loop used for retrieving emails from a victim’s inbox is shown below:\r\nFigure 6. Marked-up copy showing the inbox email theft code\r\nThe overall effect of this attack is that by getting a user to click a link in an email and leave their browser window\r\nopen for any length of time, the attacker can steal the contents of their mailbox. The JavaScript code used to\r\nfacilitate mail theft has to be customized per version of Zimbra, as the attacker needs to request a page containing\r\na CSRF-Token in order to make subsequent requests to steal mail data.\r\nAn example of the POST data format in the event of a successful mail theft is given below.\r\nFigure 7. Example POST data sent by the JavaScript containing full email body data.\r\nInfrastructure Analysis and Attribution\r\nhttps://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/\r\nPage 8 of 15\n\nBased on the infrastructure used in the attacks against its customer, Volexity was able to identify a number of\r\nadditional domains and IP addresses used by the attacker based on simple passive DNS pivots. All identified\r\ninfrastructure used Freenom domains hosted on AS399269, which belongs to BitLaunch (BLNWX).  These appear\r\nto be virtual private servers that were likely purchased via bitlaunch.io, a service which allows for purchasing\r\ninfrastructure using the Bitcoin currency.\r\nAll identified IP addresses were observed running Apache 2.4.6 on CentOS with PHP 5.4.16. When SSL is used,\r\ncertificates were purchased via ZeroSSL. A full list of IOCs is given here. Notably, Scanbox-related activity\r\nVolexity previously described in its private reporting in August 2021 also used the same server settings (although\r\nwithout SSL).\r\nIn terms of attribution, none of the infrastructure identified by Volexity exactly matches infrastructure used by\r\npreviously classified threat groups. However, based on the targeted organization and specific individuals of the\r\ntargeted organization, and given the stolen data would have no financial value, it is likely the attacks were\r\nundertaken by a Chinese APT actor. Furthermore, there were three clues to suggest the attacker could be Chinese:\r\nThe vast majority of emails were sent between 04:00 and 08:30 UTC, fitting hours of a working day of\r\nUTC + 8 hours.\r\nEmails were sent with headers indicating they were sent from a +0800 UTC time zone.\r\nThe hard-coded headers used in the Zimbra requests generated by the attacker’s JavaScript code contain a\r\ntimezone set to “Asia/Hong_Kong”.\r\nConclusion and Recommendations\r\nWhile this Zimbra XSS vulnerabilty may not be as widereaching and damaging as the Microsoft Exchange\r\nvulnerability Volexity discovered and disclosed last year, it can still have catastrophic consequences for\r\norganizations that land in the crosshairs of an attacker with the exploit. At the time of this writing, there is no\r\nofficial patch or workaround for this vulnerability. Volexity has notified Zimbra of the exploit and hopes a patch\r\nwill be available soon. A timeline of events related to this exploit is given below:\r\nhttps://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/\r\nPage 9 of 15\n\nExploits against mail servers have been numerous in the last few years. They continue to be a productive avenue\r\nfor attackers wishing to steal data from organizations running on-premise mail services. Vulnerability data\r\npublished by NIST reveals that Zimbra accumulated 23 severe and critical vulnerabilities since 2019.  When\r\nsoftware products are assigned many severe vulnerabilities, threat actors usually take note and invest in\r\ndeveloping capabilities to exploit them. This is especially true if the product holds valuable information on\r\nrelevant organizations, such as email.\r\nVolexity recommends the following:\r\nAll of the indicators here should be blocked at the mail gateway and network level.\r\nUsers of Zimbra should analyze historical referrer data for suspicious access and referrers. The default\r\nlocation for these logs can be found at /opt/zimbra/log/access*.log.\r\nUsers of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of\r\n8.8.15.\r\nIf you believe your organization may been breached from this vulnerability or similar related activity, and you\r\nneed assistance conducting an incident response investigation, please contact Volexity for further assistance.\r\nThis vulnerability and related threat activity were detailed to Volexity Threat Intelligence customers in TIB-20211224.\r\nhttps://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/\r\nPage 10 of 15\n\nAppendix A: Related Infrastructure\r\nvalue entity_type description\r\namazon-check[.]cf hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\namazon-check[.]ga hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\namazon-check[.]gq hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\namazon-check[.]tk hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\namazon-team[.]tk hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nbruising-intellect[.]ml hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nchargedboltsentry.spiritfield[.]tk hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nfindtruth[.]ml hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nflameshock.spiritfield[.]tk hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\niceywindflow[.]cf hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\niceywindflow[.]gq hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\niceywindflow[.]ml hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nmail.bruising-intellect[.]ml hostname\r\nInfrastructure used in conjunction with Zimbra 0-day;\r\nhosted malicious JS used to steal user mail and was C2\r\nfor that malicious JS\r\nmx.newsonline[.]gq hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nhttps://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/\r\nPage 11 of 15\n\nvalue entity_type description\r\nnews-online[.]ml hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nnews-voice[.]ml hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nnewsonline[.]gq hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nopticaleel.iceywindflow[.]cf hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nplayquicksand[.]cf hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nplayquicksand[.]gq hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nplayquicksand[.]ml hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nplayquicksand[.]tk hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nsecretstep[.]tk hostname\r\nInfrastructure used in conjunction with Zimbra 0-day;\r\ninitial domain used to redirect users to malicious Zimbra\r\nURL\r\nshadowmaster.iceywindflow[.]ml hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nshadownight.playquicksand[.]tk hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nshadownight.spiritfield[.]ga hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nspiritfield[.]cf hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nspiritfield[.]ga hostname\r\nInfrastructure used in conjunction with Zimbra 0-day;\r\nused in reconnaissance emails to validate if addresses\r\nwere real before sending actual payload later\r\nspiritfield[.]ml hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nhttps://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/\r\nPage 12 of 15\n\nvalue entity_type description\r\nspiritfield[.]tk hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nspiritx[.]ga hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nsupport.newsonline[.]gq hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nthunderchannel[.]cf hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nthunderchannel[.]tk hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\ntigerstrike.iceywindflow[.]ml hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nupdate.secretstep[.]tk hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwinderosion.spiritfield[.]ml hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwindsoft[.]cf hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwindsource.thunderchannel[.]cf hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwindsource.thunderchannel[.]tk hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwww.amazon-check[.]ga hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwww.findtruth[.]ml hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwww.iceywindflow[.]gq hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwww.news-online[.]ml hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nhttps://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/\r\nPage 13 of 15\n\nvalue entity_type description\r\nwww.news-voice[.]ml hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwww.newsonline[.]gq hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwww.playquicksand[.]cf hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwww.playquicksand[.]gq hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwww.spiritfield[.]ga hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwww.spiritx[.]ga hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwww.thunderchannel[.]cf hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwww.thunderchannel[.]tk hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwww.windsoft[.]cf hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nwww.yahoo-corporation[.]ml hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nyahoo-corporation[.]ml hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nyahoo-corporation[.]tk hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\nyahoo-movie.spiritx[.]ga hostname\r\nInfrastructure likely used in conjunction with Zimbra 0-\r\nday\r\n108.160.133.32 ipaddress Suspected related C2 server\r\n172.86.75.158 ipaddress\r\nResolution for known domain associated with Zimbra\r\nexploitation\r\n206.166.251.141 ipaddress\r\nResolution for known domain associated with Zimbra\r\nexploitation\r\nhttps://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/\r\nPage 14 of 15\n\nvalue entity_type description\r\n206.166.251.166 ipaddress\r\nResolution for known domain associated with Zimbra\r\nexploitation\r\nSource: https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/\r\nhttps://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/"
	],
	"report_names": [
		"operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra"
	],
	"threat_actors": [
		{
			"id": "e767cfb1-3030-4041-b617-64befa8f8ad7",
			"created_at": "2023-11-21T02:00:07.347329Z",
			"updated_at": "2026-04-10T02:00:03.464024Z",
			"deleted_at": null,
			"main_name": "TEMP_Heretic",
			"aliases": [],
			"source_name": "MISPGALAXY:TEMP_Heretic",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5a725cab-d852-48cf-bcb9-f69426f89332",
			"created_at": "2022-10-25T16:07:23.951922Z",
			"updated_at": "2026-04-10T02:00:04.805463Z",
			"deleted_at": null,
			"main_name": "Operation EmailThief",
			"aliases": [
				"Operation EmailThief",
				"TEMP_Heretic"
			],
			"source_name": "ETDA:Operation EmailThief",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434070,
	"ts_updated_at": 1775791908,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0c6ff5129dd99187cade1e7add7565d0e70dd556.pdf",
		"text": "https://archive.orkl.eu/0c6ff5129dd99187cade1e7add7565d0e70dd556.txt",
		"img": "https://archive.orkl.eu/0c6ff5129dd99187cade1e7add7565d0e70dd556.jpg"
	}
}