{ "id": "dea4559f-05b6-470d-9fab-89238eb0b5b0", "created_at": "2026-04-06T00:18:22.515861Z", "updated_at": "2026-04-10T03:34:22.518506Z", "deleted_at": null, "sha1_hash": "226052594643cda9e109ecd3499a3027933a60c2", "title": "Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2453195, "plain_text": "Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and\r\nDecoding\r\nBy Chris Navarrete, Durgesh Sangvikar, Yu Fu, Yanhui Jia, Siddhart Shibiraj\r\nPublished: 2022-05-06 · Archived: 2026-04-05 12:42:46 UTC\r\nExecutive Summary\r\nCobalt Strike is commercial threat emulation software that emulates a quiet, long-term embedded actor in a network. This\r\nactor, known as Beacon, communicates with an external team server to emulate command and control (C2) traffic. Due to its\r\nversatility, Cobalt Strike is commonly used as a legitimate tool by red teams – but is also widely used by threat actors for\r\nreal-world attacks. Different elements of Cobalt Strike contribute to that versatility, including the encoding algorithm that\r\nobfuscates metadata sent to the C2 server.\r\nIn a previous blog, “Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to\r\nDetect,” we learned that an attacker or red team can define metadata encoding indicators in Malleable C2 profiles for an\r\nHTTP transaction. When Cobalt Strike’s Beacon “phones home,” it sends metadata – information about the compromised\r\nsystem – to the Cobalt Strike TeamServer. The red team or attackers have to define how this metadata is encoded and sent\r\nwith the HTTP request to finish the C2 traffic communication.\r\nIn this blog post, we will go through the encoding algorithm, describe definitions and differences of encoding types used in\r\nthe Cobalt Strike framework, and cover some malicious attacks seen in the wild. In doing so, we demonstrate how the\r\nencoding and decoding algorithm works during the C2 traffic communication, and why this versatility makes Cobalt Strike\r\nan effective emulator for which it is difficult to design traditional firewall defenses.\r\nMetadata Encoding Algorithm\r\nThere are five encoding schemes supported by Cobalt Strike. The RSA-encrypted metadata is being encoded to easily\r\ntransfer the ciphered binary data in network protocol.\r\nFigure 1. Encoding schemes in the Cobalt Strike profile.\r\nBase64 Encoding and Decoding\r\nBase64 Encoding and Decoding is a standard Request for Comments (RFC) algorithm implementation. The author has not\r\nmade any changes to the Base64 Character set. Here is the list of characters used for encoding and decoding the data.\r\n[ 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b',\r\n'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7',\r\n'8', '9', '+', '/' ]\r\nLet's understand the use of the Base64 algorithm in Malleable profiles by studying an example.\r\n1. Profile Metadata\r\nHavex.profile uses Base64 encoding to transform metadata information about compromised systems before sending it.\r\nFigure 2 shows the metadata is encoded using the Base64 encoding algorithm and the result is placed in the Cookie header.\r\nFigure 2. Metadata encoding options in the Havex profile.\r\n2. HTTP C2 traffic\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/\r\nPage 1 of 8\n\nFigure 3 shows the HTTP C2 traffic generated from the profiles. The highlighted part is the Base64-encoded metadata about\r\nthe compromised machine.\r\nFigure 3. HTTP C2 traffic using the Havex profile.\r\n3. Base64 Decoding\r\nAny tool can decode the encrypted metadata. We have used the Python Base64 library to complete the task. Figure 4\r\nshows a sample script to decode the data and print it in hex format.\r\nHere is the decoded data from the script. This is RSA-encrypted metadata about the compromised system:\r\n“751990bee317e74e4f2aa6f13078ef22dd884e065b738f8373f49dee401a069d5dfd1d3e39e94cc637e21364e1fd71ab3322fb9c7a987fc6aa27dfab981\r\nFigure 4. Sample Python script to decode Base64 data.\r\nBase64URL Encoding and Decoding\r\nBase64URL is a modified version of the Base64 encoding algorithm. The modified version uses URL and filename-safe\r\ncharacters for encoding and decoding. Here is the character set:\r\n[ 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b',\r\n'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7',\r\n'8', '9', '-', '_' ]\r\nCompared to the Standard Base64 character set, the modified version has replaced ‘+’ with ‘-’ and ‘/’ with ‘_’. The Pad\r\ncharacter ‘=’ is skipped from the encoded data as it is normally percent-encoded in URI.\r\nLet's understand the use of the Base64URL algorithm in Malleable profiles by studying an example.\r\n1. Profile Metadata\r\nCnnvideo_getonly.profile uses Base64URL encoding to transform the metadata information. (Note that this profile is an\r\nexample of mimicking legitimate CNN HTTP traffic and has no connection to the organization.) Figure 5 shows the\r\nmetadata is encoded using the Base64URL encoding algorithm and appends the data to parameter g.\r\nFigure 5. Metadata encoding in CNN video profile.\r\n2. HTTP C2 traffic\r\nFigure 6 shows the HTTP C2 traffic generated by the Beacon. The parameter value is the Base64URL-encoded metadata\r\nabout the victim.\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/\r\nPage 2 of 8\n\nFigure 6. HTTP C2 traffic generated using CNN video profile.\r\n3. Base64URL decoding\r\nA user has a couple of options to decode the data.\r\nA user can replace the ‘-’ with ‘+’ and ‘_’ with ‘/’ along with adding a pad character ‘=’. The replaced string becomes\r\nstandard Base64-encoded data. Then any Base64 decoding tool can be used to get the encrypted metadata.\r\nUse the scripting language to do the job. Figure 7 shows a sample Python script to decode the data. The\r\nurlsafe_b64decode instruction only replaces the characters and does not add padding. In the sample, we have added\r\n‘=’ to make the output compatible with Base64 encoding. You can add more padding characters; Python only\r\ncomplains if it sees less padding.\r\nThe output of the script is RSA-encrypted metadata.\r\n“60495dff002eddaa0c409aaaae0fda592810993ae0ae319c87d62b65c54d92447daf2c1bc84930c5d90ed3a023227e254d3a2c28763be372bb7444ef57\r\nFigure 7. Python script to decode the Base64URL.\r\nNetBIOS Encoding and Decoding\r\nNetBIOS encoding is used to encode NetBIOS service names. The Cobalt Strike tool uses the same algorithm to encode\r\nvictim metadata when it is being transferred in C2 communication.\r\nIn the NetBIOS encoding algorithm, each byte is represented by two bytes of ASCII characters. Each 4-bit (nibble) of the\r\ninput byte is treated as a separate byte by right adjusting/zero filling the binary number. This number is then added to the\r\nvalue of ASCII character ‘a’. The resulting byte is stored as a separate byte. Here is the character set used for encoding: [‘a’,\r\n‘b’, ‘c’, ‘d’, ‘e’, ‘f’, ‘g’, ‘h’, ‘i’, ‘j’, ‘k’, ‘l’, ‘m’, ‘n’, ‘o’, ‘p’].\r\nFigure 8 demonstrates the encoding process:\r\nFigure 8. NetBIOS encoding process.\r\nLet's understand the use of the NetBIOS algorithm in Malleable profiles by studying an example.\r\n1. Profile Metadata\r\nOcsp.profile uses NetBIOS encoding to convert the victim’s metadata. Figure 9 shows the metadata is encoded using the\r\nNetBIOS encoding algorithm. The resulting data is appended to the URI.\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/\r\nPage 3 of 8\n\nFigure 9. Metadata encoding in the OCSP profile.\r\n2. HTTP C2 traffic\r\nFigure 10 shows the HTTP traffic generated by the Beacon using the OCSP profile.\r\nFigure 10. HTTP C2 traffic generated using the OCSP profile.\r\n3. NetBIOS decoding\r\nFigure 11 shows a Python implementation to decode the NetBIOS-encoded metadata.\r\nThe output of the script is RSA-encrypted metadata about the victim:\r\n“5725245edcb589b305e33e02da1cda208ed083bed8a1ae0b3a87da0f9d6ebe31025ab67c58572acb9757288cc2e78bea414249fa8cb0783485a1b5a3c086350\r\nFigure 11. Python script to decode the NetBIOS encoding.\r\nNetBIOSU Encoding and Decoding\r\nThe NetBIOSU algorithm is a slightly modified version of the NetBIOS algorithm discussed above. The slight change is the\r\ncharacter set used for encoding the algorithm. In this algorithm, the character set is the uppercase version of the set used in\r\nthe normal NetBIOS algorithm. Here is the set : [‘A’, ‘B’, ‘C’, ‘D’, ‘E’, ‘F’, ‘G’, ‘H’, ‘I’, ‘J’, ‘K’, ‘L’, ‘M’, ‘N’, ‘O’, ‘P’].\r\nNetBIOSU uses the same encoding process as in the NetBIOS algorithm. Please refer to Figure 8 for more information.\r\nLet's understand the use of the NetBIOSU algorithm in Malleable profiles by studying an example.\r\n1. Profile Metadata\r\nAsprox.profile uses NetBIOSU encoding to convert the victim’s metadata. Figure 12 shows the metadata is encoded using\r\nthe NetBIOSU encoding algorithm. The resulting data is appended to the URI.\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/\r\nPage 4 of 8\n\nFigure 12. Metadata encoding in the asprox profile.\r\n2. HTTP C2 traffic\r\nFigure 13 shows the HTTP traffic generated by the Beacon using the asprox profile, and the highlighted part is the metadata\r\nabout the victim.\r\nFigure 13. HTTP C2 traffic generated using the asprox profile.\r\n3. NetBIOSU decoding\r\nFigure 14 shows a Python implementation to decode the NetBIOSU-encoded metadata.\r\nThe output of the script is RSA-encrypted metadata about the victim.\r\n“722676e535f86ffc29ba1cafb9856d98d1f697a83b0afc5bb143e2cf2242152a351081fb837192da3e3b2d9021fab75ce32677b6299a24d15e28db883adb36c5\r\nFigure 14. Python script to decode the NetBIOSU encoding.\r\nMask Encoding and Decoding\r\nThe Mask encoding algorithm can be indicated and combined with other encoding algorithms in the Malleable C2 profile,\r\nwhich can be loaded by the TeamServer and used as C2 communication. The Beacon will generate the random four bytes as\r\nMask xor key, then use the Mask key to xor the 128-byte metadata encrypted and send the Mask key and encoded data to the\r\nTeamServer for C2 communication, As an example, we walk through the randomized.profile to explain in more detail below.\r\n1. Figure 15 is a partial profile with metadata encoded by Mask and Base64URL. The partial profile below defines the URI\r\nand metadata encoding algorithm as Mask and Base64URL, and the encoded metadata will be appended to the URI.\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/\r\nPage 5 of 8\n\nFigure 15. Metadata encoding options in randomized profile.\r\n2. HTTP C2 Traffic\r\nFigure 16 is the C2 traffic based on the Figure 15 profile, so we can reverse the encoding data with the following steps.\r\nFrom the traffic captured, we know that the entire URI is: /zChN7QMDhftv10Li9Cu-fm_T_3qDQawT-Z1GzNg1FWfAfSILT-u_rKLvXP-RE0ac-pxJTlGFCUIm4Aw9rGHPCIJVl0zNdCbM_G2VkYXJ5GGGtVh8S0LWMM4YLGZD9okLcFBc402j5zESK71HaR_owJb-AVBfFvAo8q0I2J74rmfGyIROyg\r\nRemove the prefix /zC. The remaining value is encoded by Base64URL:\r\nhN7QMDhftv10Li9Cu-fm_T_3qDQawT-Z1GzNg1FWfAfSILT-u_rKLvXP-RE0ac-pxJTlGFCUIm4Aw9rGHPCIJVl0zNdCbM_G2VkYXJ5GGGtVh8S0LWMM4YLGZD9okLcFBc402j5zESK71HaR_owJb-AVBfFvAo8q0I2J74rmfGyIROyg\r\nFigure 16. C2 traffic based on randomized profile.\r\n3. Data encoding and decoding\r\nBase64URL encoding and decoding\r\nThe Base64URL-encoded data:\r\nhN7QMDhftv10Li9Cu-fm_T_3qDQawT-Z1GzNg1FWfAfSILT-u_rKLvXP-RE0ac-pxJTlGFCUIm4Aw9rGHPCIJVl0zNdCbM_G2VkYXJ5GGGtVh8S0LWMM4YLGZD9okLcFBc402j5zESK71HaR_owJb-AVBfFvAo8q0I2J74rmfGyIROyg\r\nThe Base64URL-decoded data:\r\n84ded030385fb6fd742e2f42bbe7e6fd3ff7a8341ac13f99d46ccd8351567c07d220b4febbfaca2ef5cff9113469cfa9c494e5185094226e00c3dac61cf08\r\nthe Python Base64 library, as shown by the code in Figure 17, to decode the Base64URL-encoded data, the decoded\r\nhex data length is 132 and the first four bytes, 84ded030, are the Mask xor key. The remaining 128 bytes are the\r\nmetadata encoded by the Mask xor algorithm.Base64URL decoded Python code:\r\nFigure 17. Base64URL-decoded Python3 code.\r\nMask encoding and decodingThe Mask key is 84ded030The Mask-encoded data is:\r\n385fb6fd742e2f42bbe7e6fd3ff7a8341ac13f99d46ccd8351567c07d220b4febbfaca2ef5cff9113469cfa9c494e5185094226e00c3dac61cf088255974c\r\nMask-decoded data is:\r\nbc8166cdf0f0ff723f3936cdbb2978049e1fefa950b21db3d588ac3756fe64ce3f241a1e71112921b0b71f99404a3528d44af25e841d0af6982e5815ddaa\r\nUsing the Python code in Figure 18 to decode the Mask-encoded data, the decoded hex data length is 128 bytes. The\r\n128 bytes are the encrypted metadata with an RSA algorithm that will be detailed in a forthcoming piece.\r\nMask-decoded Python code:\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/\r\nPage 6 of 8\n\nFigure 18. Mask-decoded Python3 code.\r\nCases in the Wild\r\nThe following sections show two different cases of Cobalt Strike payloads found in the wild used by malware. One uses\r\nBase64 and the other uses Base64URL encoding. Palo Alto Networks identified them using static and dynamic analysis\r\nunder the Unit42.CobaltStrike tag in the AutoFocus system.\r\nBase64\r\nSHA256: 6b6413a059a9f12d849c007055685d981ddb0ff308d6e3c2638d197e6d3e8802\r\nFigure 19. Base64 encoding.\r\nBase64URL Encoding\r\nSHA256: f6e75c20ddcbe3bc09e1d803a8268a00bf5f7e66b7dbd221a36ed5ead079e093\r\nFigure 20. Base64URL encoding.\r\nConclusion\r\nCobalt Strike is a potent post-exploitation adversary emulator. The five encoding algorithms detailed above are elaborate and\r\nare designed to evade security detections. A single security appliance is not equipped to prevent a Cobalt Strike attack. Only\r\na combination of security solutions – firewalls, sandboxes, endpoints and software to integrate all these components – can\r\nhelp prevent this kind of attack.\r\nPalo Alto Networks customers are protected from this kind of attack by the following:\r\n1. Next-Generation Firewalls (NGFWs) with Threat Prevention signatures 86445 and 86446 identify HTTP C2 requests\r\nwith the Base64 metadata encoding in default profiles.\r\n2. WildFire, an NGFW security subscription, and Cortex XDR identify and block Cobalt Strike Beacon.\r\n3. AutoFocus users can track this activity using the CobaltStrike tag\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/\r\nPage 7 of 8\n\nIndicators of Compromise\r\nCS Samples\r\n6b6413a059a9f12d849c007055685d981ddb0ff308d6e3c2638d197e6d3e8802\r\nf6e75c20ddcbe3bc09e1d803a8268a00bf5f7e66b7dbd221a36ed5ead079e093\r\nCS Beacon Samples\r\n/n9Rd\r\nSHA256 Hash:\r\nfc95e7f4c8ec810646c16c8b6075b0b9e2cc686153cdad46e82d6cca099b19e7\r\n/flas\r\nSHA-256 Hash:\r\n11b8beaa53353f5f52607e994849c3086733dfa01cc57fea2dae42eb7a6ee972\r\nCS TeamServer IP addresses\r\n80.255.3[.]109\r\n143.244.178[.]247\r\nTable of Contents\r\nExecutive Summary\r\nMetadata Encoding Algorithm\r\nBase64 Encoding and Decoding\r\nBase64URL Encoding and Decoding\r\nNetBIOS Encoding and Decoding\r\nNetBIOSU Encoding and Decoding\r\nMask Encoding and Decoding\r\nCases in the Wild\r\nBase64\r\nBase64URL Encoding\r\nConclusion\r\nIndicators of Compromise\r\nCS Samples\r\nCS Beacon Samples\r\nCS TeamServer IP addresses\r\nAdditional Resources\r\nRelated Articles\r\nOpen, Closed and Broken: Prompt Fuzzing Finds LLMs Still Fragile Across Open and Closed Models\r\nBoggy Serpens Threat Assessment\r\nSuspected China-Based Espionage Operation Against Military Targets in Southeast Asia\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/\r\nhttps://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/" ], "report_names": [ "cobalt-strike-metadata-encoding-decoding" ], "threat_actors": [ { "id": "67bf0462-41a3-4da5-b876-187e9ef7c375", "created_at": "2022-10-25T16:07:23.44832Z", "updated_at": "2026-04-10T02:00:04.607111Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "Careto", "The Mask", "Ugly Face" ], "source_name": "ETDA:Careto", "tools": [ "Careto" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476", "created_at": "2023-01-06T13:46:38.677391Z", "updated_at": "2026-04-10T02:00:03.064818Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "The Mask", "Ugly Face" ], "source_name": "MISPGALAXY:Careto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434702, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/226052594643cda9e109ecd3499a3027933a60c2.pdf", "text": "https://archive.orkl.eu/226052594643cda9e109ecd3499a3027933a60c2.txt", "img": "https://archive.orkl.eu/226052594643cda9e109ecd3499a3027933a60c2.jpg" } }