{
	"id": "8f5296b3-bfdd-4e35-a28c-edacd07a9c51",
	"created_at": "2026-04-06T00:18:40.907014Z",
	"updated_at": "2026-04-10T13:12:48.997807Z",
	"deleted_at": null,
	"sha1_hash": "24eaba3a6375ddc4d5427d950fb6514d1f317998",
	"title": "Analyzing the Various Layers of AgentTesla’s Packing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4082367,
	"plain_text": "Analyzing the Various Layers of AgentTesla’s Packing\r\nBy Jeff White\r\nPublished: 2017-09-25 · Archived: 2026-04-05 19:03:16 UTC\r\nAgentTesla is a fairly popular key logger built using the Microsoft .NET Framework and has shown a substantial rise in\r\nusage over the past few months.\r\nIt offers all of the standard features of a keylogger but goes beyond the typical confines of this type of software. One\r\nparticular feature of interest is the custom packer it uses to hide the primary AgentTesla binary. Packers allow for a binary to\r\nessentially be wrapped in another binary to mask the original one from detection.\r\nThere are a number of excellent blogs out there covering AgentTesla’s functionality and it’s various obfuscations, but having\r\nI recently unpacked a sample and wanted to focus on this particular function and provide some helpful tools to aide in\r\nunpacking it.\r\nFor this analysis, I’ll be using a PE32 version AgentTesla file seen in the wild on August 29th with hash\r\n“ca29bd44fc1c4ec031eadf89fb2894bbe646bc0cafb6242a7631f7404ef7d15c”. You’ll find AgentTesla delivered commonly\r\nvia phishing documents that usually contain VBA macros to download and run a file – like the one in question.\r\nAs it’s a commercial product, you’ll find a lot of variety in the initial carrier files that deliver the AgentTesla binary;\r\nhowever, at some point you’ll find yourself with a PE.\r\nThus, begins the journey…\r\nI suppose the first layer of obfuscation really begins with the file itself, called “one.jpeg.png.exe” and an icon of a JPG\r\ntrying to create an illusion of legitimacy.\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nPage 1 of 16\n\nThis is a common technique to fool people and they’ve taken it one step further by opening an image when you execute the\r\nbinary.\r\nThe first executable is a .NET application, which is no surprise since AgentTesla is very well known for being a .NET key\r\nlogger. To analyze .NET applications, I prefer to use the application dnSpy and, once loading up this sample, we can see\r\nthere is only one namespace of interest with a handful of functions and a byte array.\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nPage 2 of 16\n\nThe Japanese kanji stands out at first glance but I believe this is less about language and more about being a form of\r\nobfuscation – I’ll explain why shortly.\r\nLooking at the Main() function shows a pattern of multiple calls to two other functions.\r\nTake for example the below string.\r\nゆ.く(ゆ.るこ(New Byte() { 129, 148, 157, 176, 144, 129, 163, 219 })),\r\nThe namespace is “ゆ” and the functions are “く” and “るこ”, with the latter taking a byte array as input and then the\r\nresulting output of that function being passed to the former.\r\nStarting with the first function, there are two XOR operations that occur with what looks like two values from the passed in\r\nbyte array and then a static XOR key.\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nPage 3 of 16\n\nLooking at this function deeper, it uses the last value in the byte array as one of the 3 XOR keys, then adjusts the array in\r\nsize and begins the decoding loop. Starting at the first byte, it will take this number as the second XOR key and increment it\r\neach iteration. The final XOR key is pulled from the GetBytes call on the long string of kanji.\r\nBefore going any further though, can you spot the issue with the function above? It works and successfully decodes the byte\r\narray but there is a flaw in codes logic that threw me for a loop when trying to implement the code in Python.\r\nIf you manually XOR those values together (129 [first byte] ^ 214 [last byte] ^ 12375 [first kanji]), the resulting output isn’t\r\nwhat gets returned within the debugger. In fact, it’s not even close which left me scratching my head for a while.\r\n129^214^12375 = 12288 (0x3000)\r\nInstead, what we end up with is 104 (0x68). It’s clearly wrong though and I assumed I was missing something in what\r\nappeared to be a relatively straight forward, par for the course, decoding function. If I XOR the know good result with the\r\ntwo values from the byte array, I end up with 63 (0x3F), otherwise known as “?”.\r\nWhat’s happening is that the GetBytes call is set to use the default system encoding, which in my case is Windows-1252, so\r\nthe bytes fall outside of the acceptable range and all return as 63 (0x3F), regardless of where the index pointer is in the array.\r\nGiven this, the only two values I ever need to worry about are within the array itself and I can ignore most of this code.\r\nBelow is a small Python script which will decode the strings passed into it.\r\ndef decode(a):\r\nxorkey = a[-1]\r\na = a[0:-1]\r\nb = [0] * len(a)\r\nnum = 0\r\ncounter = 0\r\nmaxlength = len(b) - 1\r\nwhile counter \u003c= maxlength:\r\nb[len(b) - 1 - counter] = chr(a[counter] ^ xorkey ^ 0x3f)\r\ncounter += 1\r\nreturn \"\".join(b)\r\n\u003e\u003e\u003e a = [129,148,157,176,144,129,163,219]\r\n\u003e\u003e\u003e decode(a)\r\n'GetType'\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nPage 4 of 16\n\nAs the string successfully decodes with using XOR key 0x3F, it implies it was also encoded with this value initially, so the\r\ndefault code page used by the author when encoding it was also most likely Windows-1252.\r\nThe reason I believe the kanji is more for obfuscation than anything else is because of this and what the XOR key displays,\r\nwhich is nothing but a jumble of random characters without any coherent message.\r\nThis randomness in function and variable names is similar to the techniques they use in later payloads but now with a\r\ndifferent character set.\r\nFor the second function, “く” it simply returns a string from the byte array of the previous function.\r\nGoing back to the previously mentioned byte array, it’s quite large and only has one reference inside this code, highlighted\r\nbelow.\r\nAfter the byte array is passed to the decoding function, the output is used as input into a new function, “うむれぐ”, that is\r\nresponsible for decompressing the data.\r\nOnce decompressed, the new data is returned in a byte array.\r\nAt this point I copied out the list of integers for the byte array and ran it through the decoding Python function and\r\ndecompressed the it with the zlib library into the next payload.\r\nfh = open(\"output\", \"w\")\r\nfh.write(zlib.decompress(decode(a), -15))\r\nfh.close()\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nPage 5 of 16\n\nLooking at the new file shows that it is a DLL named “rp.dll”.\r\nThis was also a .NET file and we can load it into dnSpy for further analysis; however, before doing that I’ll go over the final\r\npart of the first packer.\r\nDim objectValue As Object =\r\nRuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(Nothing,CType(NewLateBinding.LateGet(Nothing,\r\n“System.Type”,“GetType”, “System.Reflection.Assembly”, Nothing, Nothing, Nothing), Type), “Load”,\r\nBINARY_ARRAY, Nothing, Nothing, Nothing))\r\nDim objectValue2 As Object =\r\nRuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(RuntimeHelpers.GetObjectValue(objectValue), Nothing,\r\n\"GetType\", \"とむ暮.とむ暮\", Nothing, Nothing, Nothing))\r\nNewLateBinding.LateGet(Nothing, CType(NewLateBinding.LateGet(Nothing, Type.[GetType](\"System.Type\",\r\n\"GetType\", \"System.Activator\", Nothing, Nothing, Nothing), Type), \"CreateInstance\", New Object() {\r\nRuntimeHelpers.GetObjectValue(objectValue2) }, Nothing, Nothing, Nothing)\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nPage 6 of 16\n\nI’ve cleaned up the encoded strings so you can see what it’s doing but effectively, it takes the DLL assembly, loads it, and\r\ncalls the main function, “とむ暮.とむ暮”, within it.\r\nThis DLL uses the same byte array string obfuscation as the initial executable.\r\nIn the above image, you can see it begins by checking whether the file “\\\\Products\\\\WinDecode.exe” exists and then will\r\ncreate the “\\\\Products\\\\” directory if it does not. After that it will enumerate processes to kill, delete files, establish itself in\r\nthe registry for persistence and other characteristics typical of this malware.\r\nBut, eventually during the execution, you’ll end up at the next part of the unpacking code.\r\nDim obj2 As Object = とむ暮.れなつ(Me.まこうに(Me.こなき(Me.れな())))\r\nDim うひ硯る As うひ硯る = New うひ硯る()\r\nReturn うひ硯る.う(\"Nothing\", String.Empty, CType(obj2, Byte()), True)\r\nThe first line calls multiple functions - starting on the far right is “れな”. This function can be seen below and creates an\r\nobject from a PNG file in the resources section of the DLL.\r\nPicture Time\r\nThe PNG itself doesn’t visually show anything of note but static.\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nPage 7 of 16\n\nThe next function “こなき” is a bit more interesting.\r\nThis loads the image as a bitmap and then it will read the pixels in a certain order to build an array from the values for Red,\r\nGreen, and Blue that get returned.\r\nFor example, if you look at the bottom left of the image (0,192), you will see a dark green with the hex value 0x1AE2C.\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nPage 8 of 16\n\nThe first entries in the array would be 0x2C (Blue), 0xAE (Green), 0x1 (Red)\r\nTo unpack this, I once again re-wrote the code in Python and used the Python Imaging Library (PIL) to extract the bytes.\r\nThis particular image is 192x192 pixels and 24bits per pixel (3 bytes – RGB) and it iterates over each pixel from left to\r\nright, bottom to top, for the array of data.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\nfrom PIL import Image\r\nim = Image.open(\"/Users/pickleRICK/19.png\")\r\ndef imparse(a):\r\nwidth, height = im.size\r\ncounter = 0\r\nb = [0] * (width * height * 3)\r\nfor y in range(height - 1, -1, -1):\r\nfor x in range(0,width):\r\npixel = im.getpixel((x,y))\r\nb[counter * 3 + 2] = pixel[0] # R\r\nb[counter * 3 + 1] = pixel[1] # G\r\nb[counter * 3 + 0] = pixel[2] # B\r\ncounter += 1\r\nwhile b[-1] == 0:\r\ndel b[-1]\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nPage 9 of 16\n\n16\r\n17\r\nreturn b\r\nAfter it returns, the byte array gets passed to the now familiar decode function and then the deflate function.\r\n\u0026gt;\u0026gt;\u0026gt; dec = imparse(im)\r\n\u0026gt;\u0026gt;\u0026gt; dec\r\n[44, 174, 1, 0, 237, 11, 8, 125, 109, 41, 15, …\r\n\u0026gt;\u0026gt;\u0026gt; dec = decode(dec)\r\n\u0026gt;\u0026gt;\u0026gt; dec\r\n'\\xec\\xbd\\tx\\x1c\\xc5\\x95\\x00\\xdcs\\xf59#\\xa9\\xa6G …\r\n\u0026gt;\u0026gt;\u0026gt; dec = zlib.decompress(dec,-15)\r\n\u0026gt;\u0026gt;\u0026gt; dec\r\n'MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00 …\r\nAs you can see, we have the MZ header and the next binary.\r\nWithin the DLL are additional functions which handle executing the new payload and I’ve gone ahead and decoded some of\r\nthe native API’s they use to show how they carry out activity.\r\nThe final payload\r\nArrival of the last binary – another .NET application called\r\n“RII9DKFR5LC4Y669MLOA2C50SFLPHZBN61CZ160Z.exe”. If you read any of the posts mentioned earlier on the\r\nanalysis of AgentTesla, then this will look familiar.\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nPage 10 of 16\n\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nPage 11 of 16\n\nFunction and variable names are encoded with Unicode values in the range of 0x200B-0x200E. Strings are decrypted by, in\r\nthis sample, function “KMBHFDXSELJYYLVK\\u3002”.\r\nThis function uses a hardcoded password and salt to derive a key from the SHA1 hashing algorithm as implemented by\r\nMicrosoft (modified PBKDF1). Afterwards, it uses the key and hardcoded IV to decrypt the string with AES-CBC.\r\nA quick Google for that IV shows hundreds of results for it, with most revolving around an encryption example that was\r\nused as the base for this function – it even copies the examples variable names.\r\nWhat I found interesting here is that none of these values ever change sample to sample. Even going back to the samples in\r\nthe write-ups on AgentTesla from over 6 months ago, I was able to decrypt their base64 strings listed in the blog. This\r\nconfirms the same values are in use and likely hard coded into the builder for AgentTesla.\r\nGiven that everything is static then, it’s fairly trivial to extract all of the base64 encoded strings, decrypt them, and look for\r\ninteresting IoC’s.\r\n1\r\n2\r\n3\r\n4\r\nfrom Crypto.Cipher import AES\r\ndef stringdecrypt(a):\r\nstring = base64.b64decode(a)\r\niv = \"@1B2c3D4e5F6g7H8\"\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nPage 12 of 16\n\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\nkey =\r\n\"\\x34\\x88\\x6D\\x5B\\x09\\x7A\\x94\\x19\\x78\\xD0\\xE3\\x8b\\x1b\\x5c\\xa3\\x29\\x60\\x74\\x6a\\x5e\\x5d\\x64\\x87\\x11\\xb1\\x2c\\x67\\xaa\\x5b\\x3\r\n#to 6a/5e for first iteration\r\ncleartext = AES.new(key[0:32], AES.MODE_CBC, iv).decrypt(string)\r\nreturn cleartext\r\nfh = open(\"extractedb64\")\r\ncontent = fh.readlines()\r\nfh.close()\r\nfor i in content:\r\ntry:\r\ndec = stringdecrypt(i)\r\nprint \"%s | %s\" % (i.strip(),dec.strip())\r\nexcept:\r\npass\r\nWhat we end up with is a long list of values like the below.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\ncWUeT8dJU4KfzxUEgGflzQ== | temp\r\ny9/s0/2Soj9dWZ7YCF9viw== | \\des_date.txt\r\nhQ1zQ5Cg31OSE+BZ2Os36w== | 2017-08-25\r\ncWUeT8dJU4KfzxUEgGflzQ== | temp\r\ny9/s0/2Soj9dWZ7YCF9viw== | \\des_date.txt\r\n1IhffSZWWBl13XPDs8n3myYCTMqLedaSKEkL/imL258= | dd.MM.yyyy HH:mm:ss\r\ncWUeT8dJU4KfzxUEgGflzQ== | temp\r\naXsej6rp5uxy+3ym08w3iA== | ApplicationData\r\nhaLsi+cj0yodiuWmM+o4Wg== | appdata\r\nAnV66gJ6ewY8YTWIByRSMA== | Temp\r\ncWUeT8dJU4KfzxUEgGflzQ== | temp\r\nzYMGsY8aSA781gMxSStsC9UAfia6hLdLRxgBeS3NtD0= | \\Java\\JavaUpdtr.exe\r\ncWUeT8dJU4KfzxUEgGflzQ== | temp\r\ny9/s0/2Soj9dWZ7YCF9viw== | \\des_date.txt\r\nAkq+/Qobe3bW+jdjmv5oI6h1rNqdq+rlANdh6Ef29KelgAp0y6gsCspLDS+k+xmNC9TpnFhgwZyL///RhoSWxQ==\r\n| Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\r\naZG83zDiQxysOvFJFc8qmg== | Load\r\n8mFIzTz8+GxS3SBdy62qeA== | JavaUpdtr\r\nIMqa7/uMjEFhAZrJPRn9Gw== | False\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nPage 13 of 16\n\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\nqQj4VB+mzRT8iDf7llcE6Q== | xyz\r\nhyNN5z+7qAsS695lDXLuHg== | True\r\n…\r\n82ZGUDSQrPCv8v1Hf+HpRA== | \u0026lt;/span\u0026gt;\r\nBJsW0oB1ieLYwE8A0Yu6OlLBTcrh0varR+ibOkyOCrk= | mylogbox4h@gmail.com\r\n2qbrW8tf2IZoaPGZlcaKWw== | /log.tmp\r\nv4EpbnhZTubu6HTjEZ8Gdw== | [SavedLog (\r\nI/tDnJPWEB6yySAivkY/576ixyY2gOP+bLVbbaRIV8A= | yyyy_MM_dd_HH_mm_ss\r\n2qbrW8tf2IZoaPGZlcaKWw== | /log.tmp\r\nQ9Yhy5Uive3G6Gspdid9EQ== | Saved_Log_From_\r\neCqe8oqjGUIRwUWqnBrrpA== | /\r\nq542gy/+wDIUJhH3OGKnNg== | -\r\n3TzIyOOSC+3lcpPaeTxO6g== | _\r\n4T5LGk6qEvqUS2xRJLUlww== | .html\r\nFile names, registry keys, and e-mails to start off hunting with. You can also see where the corresponding base64 is within\r\nthe code and then use dnSpy to obtain further context on how AgentTesla utilizes these values.\r\nFor example, below is something that stood out as interesting almost immediately.\r\n4nmIR8y7iw8axs2u6GfIQ8f/7fSpMKvqD0ODaew16nI= | mylogbox3h@gmail.com\r\n5XDX6cForslWY791UzW+zw== | sammy1990\r\nwf990RzBidRdPMgWIckJ2g== | smtp.gmail.com\r\nPivoting to these values in dnSpy will land you in a function that seems responsible for sending the stolen data back to the\r\nattacker.\r\nPivoting on a hunch\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nPage 14 of 16\n\nAt this point, I’ve accomplished the goal I set out for – covering the packing techniques used by the current version of\r\nAgentTesla, offering some code to automate unpacking and decrypt some configuration data.\r\nBut why stop when you’re ahead?\r\nI like to Google static values and constants when analyzing malware because you can usually find some interesting stuff –\r\nconfigurations, forums, accounts, panels, etc. When I began searching for the file “one.jpeg.png.exe” I stumbled across a\r\nsite, “b-f-v[.]info”, which hosts various versions of this keylogger.\r\nThey all function in the same way but the image that displays is related to the first part of the file name. The images are\r\nvarious sizes so the decoding would be different for each; however, the code shown previously will grab the correct Width\r\nand Height for building the array.\r\nAlso take note of the dates and when they were modified. The sample covered in this blog was seen on August 29th, just two\r\ndays before these were created – so the person or group behind these appear to be actively creating new versions to send out.\r\nI confirmed in these samples we find the same SMTP credentials.\r\nConclusion\r\nHopefully this overview of their packing techniques, along with the scripts to unpack each phase, prove helpful to others\r\nwhen looking at AgentTesla. Given its recent spikes in popularity, it’s likely not going anywhere anytime soon so the more\r\nknowledge you have of the threat, the better you can defend yourself.\r\nYou can continue to track this threat through the Palo Alto Networks AutoFocus AgentTesla tag and you will find the hashes\r\nfor all of the files covered in this blog below:\r\nIndicators of Compromise\r\nInitial PE32\r\none.jpeg.png.exe | ca29bd44fc1c4ec031eadf89fb2894bbe646bc0cafb6242a7631f7404ef7d15c\r\nmypic.jpeg.png.exe | cb0de059cbd5eba8c61c67bedcfa399709e40246039a0457ca6d92697ea516f9\r\nfamilyhome.jpeg.png.exe / myhome.jpeg.png.exe |\r\n444e9fbf683e2cff9f1c64808d2e6769c13ed6b29899060d7662d1fe56c3121b\r\ngift-certificate.pdf.png.exe | 124bb13ede19e56927fe5afc5baf680522586534727babbe1aa1791d116caeeb\r\nrequest-for-quotation.pdf.png.exe | dce91ff60c8d843c3e5845061d6f73cfc33e34a5b8347c4d9c468911e29c3ce6\r\nDLL’s\r\nrp.dll | 3c48c7f16749126a06c2aae58ee165dc72df658df057b1ac591a587367eae4ad\r\nrp.dll | a5768f1aa364d69e47351c81b1366cc2bfb1b67a0274a56798c2af82ae3525a8\r\nSecond stage encoded images\r\n19.png | e42a0fb66dbf40578484566114e5991cf9cf0aa05b1bd080800a55e1e13bff9e\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nPage 15 of 16\n\n72.png | cd64f1990d3895cb7bd69481186d5a2b1b614ee6ac453102683dba8586593c03\r\nAgentTesla\r\nRII9DKFR5LC4Y669MLOA2C50SFLPHZBN61CZ160Z.exe  |\r\n3e588ec87759dd7f7d34a8382aad1bc91ce4149b5f200d16ad1e9c1929eec8ec\r\nB92MKZFESR6J7R2PNQ9ZTBA6QN0LIEXTUQEVH3T3.exe  |\r\n8fb72967b67b5a224c0fcfc10ab939999e5dc2e877a511875bd4438bcc2f5494\r\nTable of Contents\r\nThus, begins the journey…\r\nPicture Time\r\nThe final payload\r\nPivoting on a hunch\r\nConclusion\r\nIndicators of Compromise\r\nDLL’s\r\nSecond stage encoded images\r\nAgentTesla\r\nRelated Articles\r\nAnalyzing the Current State of AI Use in Malware\r\nSuspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack\r\nPhantomVAI Loader Delivers a Range of Infostealers\r\nEnlarged Image\r\nSource: https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nhttps://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/"
	],
	"report_names": [
		"unit42-analyzing-various-layers-agentteslas-packing"
	],
	"threat_actors": [],
	"ts_created_at": 1775434720,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/24eaba3a6375ddc4d5427d950fb6514d1f317998.pdf",
		"text": "https://archive.orkl.eu/24eaba3a6375ddc4d5427d950fb6514d1f317998.txt",
		"img": "https://archive.orkl.eu/24eaba3a6375ddc4d5427d950fb6514d1f317998.jpg"
	}
}