{ "id": "d5512c94-8aca-4c10-a6b3-32998834d987", "created_at": "2026-04-06T00:17:34.405315Z", "updated_at": "2026-04-10T13:12:01.315063Z", "deleted_at": null, "sha1_hash": "0f7d4fd5816f90dc77875993c3512d299a6a6014", "title": "TAG-110 Targets Tajikistan: New Macro Word Documents Phishing Tactics", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2331676, "plain_text": "TAG-110 Targets Tajikistan: New Macro Word Documents\r\nPhishing Tactics\r\nBy Insikt Group®\r\nArchived: 2026-04-05 18:29:43 UTC\r\nNote: The analysis cut-off date for this report was March 24, 2025.\r\nExecutive Summary\r\nFrom January to February 2025, Insikt Group detected a phishing campaign targeting Tajikistan that Insikt Group\r\nattributes to TAG-110, a Russia-aligned threat actor that overlaps with UAC-0063 and has been linked to APT28\r\n(BlueDelta) with medium confidence by CERT-UA. In this campaign, TAG-110 leveraged Tajikistan government-themed documents as lure material, consistent with its historical use of trojanized legitimate government\r\ndocuments, though the authenticity of the current samples could not be independently verified. These documents\r\nwere distinct from those used in previous campaigns (1, 2, 3, 4), notably lacking an embedded HTA-based\r\npayload HATVIBE within them, which TAG-110 has deployed since at least 2023. In this campaign, TAG-110 has\r\nshifted to using macro-enabled Word template files (.dotm files) rather than HATVIBE for the initial payload.\r\nGiven TAG-110’s historical targeting of public sector entities in Central Asia, this campaign is likely targeting\r\ngovernment, educational, and research institutions within Tajikistan.\r\nRussia’s Central Asian policy centers on preserving a post‑Soviet sphere of influence by embedding itself at the\r\ncore of the region’s security, economic, and political architecture. TAG-110's activities continue to bolster this\r\npolicy through intelligence-gathering operations. Insikt Group anticipates TAG‑110 will sustain regional\r\noperations against government ministries, academic and research bodies, and diplomatic missions, particularly\r\nthose involved in upcoming elections, military operations, or other events the Kremlin wishes to influence.\r\nKey Findings\r\nTAG-110 has changed its spearphishing tactics in recent campaigns against Tajikistan, as they now rely on\r\nmacro-enabled Word templates (.dotm files).\r\nThis campaign has been attributed to TAG-110 based on its reuse of VBA code found in lures from\r\nprevious campaigns, overlap in C2 infrastructure, and use of suspected legitimate government documents\r\nfor lure material.\r\nTAG-110’s persistent targeting of Tajik government, educational, and research institutions supports\r\nRussia’s strategy to maintain influence in Central Asia. These cyber-espionage operations likely aim to\r\ngather intelligence for influencing regional politics or security, particularly during sensitive events like\r\nelections or geopolitical tensions.\r\nhttps://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled\r\nPage 1 of 10\n\nTAG-110’s recent use of macro-enabled Word templates (.dotm), placed in the Microsoft Word STARTUP\r\nfolder for automatic execution, highlights a tactical evolution prioritizing persistence. Organizations should\r\nmonitor the Word STARTUP directory for unauthorized additions and enforce strict macro security\r\npolicies.\r\nBackground\r\nTAG-110 is a Russia-aligned threat actor overlapping with UAC-0063, which has been linked to APT28\r\n(BlueDelta) with medium confidence by CERT-UA. TAG-110 has conducted cyber-espionage campaigns\r\nprimarily targeting Central Asia since at least 2021. Historically, this group has been known for its use of macro-enabled Word documents to deliver malicious payloads such as HATVIBE, an HTA-based malware designed for\r\ninitial access and persistence. In November 2024, Insikt Group highlighted TAG-110’s use of HTA-embedded\r\nspearphishing attachments in emails tailored for Central Asian diplomatic entities. TAG-110’s operations have\r\nbeen documented by organizations such as CERT-UA, BitDefender, and Sekoia, with recent campaigns targeting\r\nentities in Kazakhstan, Uzbekistan, and other Central Asian states. TAG-110 continues to use a variety of custom\r\nmalware families to conduct espionage activities, including CHERRYSPY (DownExPyer), LOGPIE, and\r\nPyPlunderPlug.\r\nThreat Analysis\r\nBeginning in January 2025, Insikt Group detected new TAG-110 first-stage payloads, which suggested the threat\r\nactors were evolving their tactics. Previously, TAG-110 leveraged macro-enabled Word documents to deliver\r\nHATVIBE, an HTA-based malware, for initial access. The newly detected documents do not contain the\r\nembedded HTA HATVIBE payload for creating a scheduled task and instead leverage a global template file placed\r\nin the Word startup folder for persistence.\r\nDocument Analysis\r\nSHA256 Hash d60e54854f2b28c2ce197f8a3b37440dfa8dea18ce7939a356f5503ece9e5eb7\r\nDocument Name(s) documents.php\r\nDocument Creation Time 2024-12-24 06:47:00 UTC\r\nFirst Seen 2025-01-27 09:18:33 UTC\r\nFirst Seen Triage 2024-01-31 18:16:00 UTC\r\nhttps://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled\r\nPage 2 of 10\n\nSHA256 Hash d60e54854f2b28c2ce197f8a3b37440dfa8dea18ce7939a356f5503ece9e5eb7\r\nC2 Host http://38.180.206\\[.]61:80/engine.php\r\nFile Type MS Word 2007+ Macro-Enabled Template (.dotm)\r\nTable 1: Metadata of d60e54854f2b28c2ce197f8a3b37440dfa8dea18ce7939a356f5503ece9e5eb7 (Source:\r\nRecorded Future)\r\nThe first document (Figure 1) appears to be a notice to the armed forces of Tajikistan themed on ensuring\r\nradiation safety. Machine translation incorrectly translated “РТ” as “Republic of Tartarstan,” but in the wider\r\ndocument context, “PT” likely refers to the “Republic of Tajikistan,” as “Республика Таджикистан” is used in\r\nplace of “PT” later in the document. Insikt Group has not been able to verify the authenticity of the document, but\r\nTAG-110 has historically used legitimate documents as lures.\r\nFigure 1: First page of d60e54854f2b28c2ce197f8a3b37440dfa8dea18ce7939a356f5503ece9e5eb7 and\r\ncorresponding machine translation (Source: Recorded Future)\r\nhttps://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled\r\nPage 3 of 10\n\nSHA256 Hash 8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7\r\nDocument Name(s) N/A\r\nDocument Creation Time 2024-12-13 06:18:00 UTC\r\nFirst Seen 2025-02-01 12:04:49 UTC\r\nFirst Seen Triage 2025-02-07 02:17:00 UTC\r\nC2 Host http://38.180.206\\[.]61:80/engine.php\r\nFile Type MS Word 2007+ Macro-Enabled Template (.dotm)\r\nTable 2: Metadata of 8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7 (Source:\r\nRecorded Future)\r\nThe second document (Figure 2) appears to be a schedule related to the elections in Dushanbe, the capital of\r\nTajikistan. At the time of reporting, Insikt Group could not verify the document's authenticity.\r\nFigure 2: First page of 8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7 and\r\ncorresponding machine translation (Source: Recorded Future)\r\nVBA Macros\r\nhttps://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled\r\nPage 4 of 10\n\nBoth sample files, d60e54854f2b28c2ce197f8a3b37440dfa8dea18ce7939a356f5503ece9e5eb7 and\r\n8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7, share the same functionality and\r\ncommand-and-control (C2) infrastructure, with only a small change in the C2 communications methods. Figure 3\r\nshows the source code of these malicious Word documents.\r\nFigure 3: VBA Macro source code from\r\n8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7 (Source: Recorded Future Malware\r\nIntelligence)\r\nAnalysis of Sub Procedures\r\nDocument_Open() Sub Procedure\r\nUpon opening the malicious file, the document.open event is triggered, and the remaining code will:\r\nUnprotect the document using the key \"gyjyfyjrtjrtjhfgjfrthrtj\"\r\nHide spelling errors\r\nAttempt to set the font line width to 0\r\nCopy itself to the Word startup folder (%APPDATA%\\Microsoft\\Word\\STARTUP\u003cfilename\u003e.dotm) in\r\nXML template format with macros enabled for persistence\r\nhttps://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled\r\nPage 5 of 10\n\nFigure 4: Document_open()Sub procedure of\r\n8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7 (Source: Recorded Future Malware\r\nIntelligence)\r\nAutoExec() Sub Procedure\r\nOnce the document has been added to the Word startup folder, it is treated as a global template and will run the\r\nautomatic macro AutoExec every time Microsoft Word is started. The AutoExec macro completes the following\r\noperations:\r\nChecks to see the last time Microsoft Word was started; this is stored and maintained by the global\r\ntemplate in the registry location\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\u003cVersion\u003e\\Word\\Options\\LastTime -- If the value of\r\nLastTime is less than 60 seconds, AutoExec will end execution\r\nCollects the following system information and stores it in JSON format: -- Computer name -- Username --\r\nRegion -- Monitor resolution -- Language -- System version\r\nWaits three seconds before executing the getInfo()Sub procedure, per Figure 5.\r\nFigure 5: AutoExec() Sub procedure of\r\n8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7 (Source: Recorded Future Malware\r\nIntelligence)\r\ngetInfo() Sub Procedure\r\nThe getInfo() Sub procedure initiates communication between the victim and the C2 server. The procedure\r\naccomplishes this by completing the following operations:\r\nCreates an HTTP request object and makes an HTTP POST to the URL\r\nhttp://38.180.206[.]61/engine.php\r\nPer Figure 7, the HTTP request has the following characteristics:\r\nContent-type header set to application/x-www-form-urlencoded\r\nUser-Agent header set to a Base64-encoded ID unique in both samples\r\nPOST data in the format of opamczqwe=\u0026ywalokmsz=\r\nhttps://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled\r\nPage 6 of 10\n\nIf the C2 server’s response starts with \"%%%%,\"” the Sub procedure will take the rest of the string after it\r\nand use that as the argument in the start Sub procedure\r\nIf the server HTTP response does not start with \"%%%%,\" it will wait ten seconds and try again until it\r\ngets a response starting with “%%%%”\r\nThe sample d60e54854f2b28c2ce197f8a3b37440dfa8dea18ce7939a356f5503ece9e5eb7 makes use of a\r\ncount loop where the collected data is only sent in every tenth HTTP POST, whereas the sample\r\n8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7 will only send the collected\r\ndata on the first HTTP POST\r\nFigure 6: getInfo() Sub procedure of 8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7\r\n(Source: Recorded Future)\r\nFigure 7: PCAP output of a HTTP POST from\r\n8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7 (Source: Recorded Future)\r\nstart() Sub Procedure\r\nThe start() Sub procedure is likely used to execute additional VBA supplied in C2 responses. The Sub procedure\r\naccomplishes this by completing the following operations:\r\nIt splits the remaining C2 response, using the string “###” as a delimiter, and stores the values into an array\r\nThis array of strings is used as variables, likely to create a block of code similar to those used in previous\r\nTAG-110 macro-enabled Word documents, such as\r\n6ac6a0dd78d2e3f58e95fa1a20b3ab22b4b49a1ab816dcfb32fd6864e1969ac3, as seen in Figure 8\r\nThe array values are used to create a COM object (likely WScipt.shell based on code overlap from\r\nprevious VBA code used by TAG-110) and written to a value in the registry\r\nhttps://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled\r\nPage 7 of 10\n\nThis is likely modifying\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\\Word\\Security\\AccessVBOM in the\r\nregistry, as this tactic was used in the previous campaigns\r\nThis registry modification allows VBA macros to modify and access other VBA projects\r\nAnother COM object (likely Word.Application based on code overlap from previous VBA code used by\r\nTAG-110) will launch Microsoft Word in the background, create a new document inside that Microsoft\r\nWord instance, add a VBA module, and execute it after three seconds\r\nFigure 8: Code overlap between 6ac6a0dd78d2e3f58e95fa1a20b3ab22b4b49a1ab816dcfb32fd6864e1969ac3\r\n(Top) and 8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7 (Bottom) (Source:\r\nRecorded Future)\r\nFigure 9: start() Sub procedure of 8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7\r\n(Source: Recorded Future)\r\nMalicious Infrastructure\r\nThe files d60e54854f2b28c2ce197f8a3b37440dfa8dea18ce7939a356f5503ece9e5eb7 and\r\n8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7 share the same C2 server,\r\n38.180.206[.]61. This IP address was previously identified as a HATVIBE C2 server and attributed to TAG-110 by\r\nSekoia. At the time of analysis, Insikt Group could not obtain additional second-stage VBA modules. However,\r\nbased on TAG-110’s historical activity and tool set, it is likely that successful initial access via the macro-enabled\r\nhttps://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled\r\nPage 8 of 10\n\ntemplates would result in the deployment of additional malware, such as HATVIBE, CHERRYSPY, LOGPIE, or\r\npotentially a new, custom-developed payload designed for espionage operations.\r\nMitigations\r\nMonitor for and alert on creating or modifying global template files in the Microsoft Word startup folder,\r\nwhich may indicate persistent macro abuse.\r\nDetect and investigate registry modifications to AccessVBOM under\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\u003cVersion\u003e\\Word\\Security, which may signal\r\nattempts to enable or manipulate VBA macro behavior.\r\nDisable macros by default in Microsoft Office applications and implement Group Policy Objects (GPOs) to\r\nprevent users from enabling them unless explicitly approved.\r\nUse Recorded Future® Threat Intelligence to monitor for newly emerging TAG-110 infrastructure,\r\nmalware signatures, and phishing document indicators.\r\nIntegrate Recorded Future Threat Intelligence Modules into SIEM and SOAR platforms to receive real-time alerts on activity linked to TAG-110 and other Russia-aligned threat actors.\r\nOutlook\r\nBased on current and past Insikt Group reporting, TAG-110 has consistently used macro-enabled spearphishing\r\ndocuments to deliver malware and establish persistence in target environments. Insikt Group expects TAG-110 to\r\ncontinue leveraging regional events and bureaucratic themes to craft their lures. We also expect the targeting of\r\nentities related to government, defense, or public infrastructure in Central Asia to persist, especially around\r\nsensitive events such as elections or military activity.\r\nTo read the entire analysis, click here to download the report as a PDF.\r\nAppendix A — Indicators of Compromise\r\nIP Addresses: 38.180.206[.]61 188.130.234[.]189\r\nSHA256 Hashes: d60e54854f2b28c2ce197f8a3b37440dfa8dea18ce7939a356f5503ece9e5eb7\r\n6c81d2af950e958f4872d3ced470d9f70b7d73bc0b92c20a34ce8bf75d551609\r\n8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7\r\nAppendix B: MITRE ATT\u0026CK Techniques\r\nTactic: Technique ATT\u0026CK Code\r\nInitial Access: Spearphishing Attachment RT1566.001\r\nhttps://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled\r\nPage 9 of 10\n\nTactic: Technique ATT\u0026CK Code\r\nExecution: Malicious File T1204.002\r\nPersistence: Office Template Macros T1137.001\r\nDefense Evasion: Encrypted/Encoded File T1027.013\r\nCommand-and-Control: Web Protocols T1071.001\r\nSource: https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled\r\nhttps://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled\r\nPage 10 of 10\n\nThe files 8508003c5aafdf89749d0abbfb9f5deb6d7b615f604bbb11b8702ddba2e365e7 d60e54854f2b28c2ce197f8a3b37440dfa8dea18ce7939a356f5503ece9e5eb7 and share the same C2 server,\n38.180.206[.]61. This IP address was previously identified as a HATVIBE C2 server and attributed to TAG-110 by\nSekoia. At the time of analysis, Insikt Group could not obtain additional second-stage VBA modules. However,\nbased on TAG-110’s historical activity and tool set, it is likely that successful initial access via the macro-enabled\n Page 8 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-tajikistan-with-macro-enabled" ], "report_names": [ "russia-aligned-tag-110-targets-tajikistan-with-macro-enabled" ], "threat_actors": [ { "id": "d0d996a0-98e2-49fd-b55e-97ba053c4ed0", "created_at": "2024-07-25T02:00:04.423466Z", "updated_at": "2026-04-10T02:00:03.679863Z", "deleted_at": null, "main_name": "UAC-0063", "aliases": [], "source_name": "MISPGALAXY:UAC-0063", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434654, "ts_updated_at": 1775826721, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0f7d4fd5816f90dc77875993c3512d299a6a6014.pdf", "text": "https://archive.orkl.eu/0f7d4fd5816f90dc77875993c3512d299a6a6014.txt", "img": "https://archive.orkl.eu/0f7d4fd5816f90dc77875993c3512d299a6a6014.jpg" } }