{ "id": "109eb6b4-98d0-492e-8c2a-fdef0881e707", "created_at": "2026-04-06T00:08:00.644966Z", "updated_at": "2026-04-10T03:37:20.268171Z", "deleted_at": null, "sha1_hash": "2b194fbe4e9029637157c680d39564389dafb939", "title": "APT-K-47 “Mysterious Elephant”, a new APT organization in South Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5100709, "plain_text": "APT-K-47 “Mysterious Elephant”\r\n, a new APT organization in\r\nSouth Asia\r\nBy Knownsec 404 team\r\nPublished: 2023-08-16 · Archived: 2026-04-05 16:16:44 UTC\r\nAuthor: Knownsec 404 Advanced Threat Intelligence team\r\nChinese version:https://paper.seebug.org/3000/\r\nIn March 2023, we learned that the Knownsec 404 Advanced Threat Intelligence team was the first in the world to\r\ncapture a new APT weapon backdoor, which we called “ORPCBackdoor”, and released a detailed analysis of the\r\nweapon backdoor in May 2023: Bitter’s new assault weapon analysis — ORPCBackdoor weapon.\r\nIn the report, we identified the weapon as the latest weapon used by BITTER. However, we noticed that\r\nKaspersky recently released a report saying that they had discovered a new APT group in the second quarter, and\r\nthat the group’s main target was Pakistan. It was named the “Mysterious Elephant”.\r\nIn addition, two non-public reports were released, the first describing the group’s main technical tactics (TTPS)\r\nover the past few years, and the second describing the group’s attacks on Pakistan’s diplomatic ministries. The\r\ngroup’s main feature is the use of a brand new backdoor that is delivered to the victim’s machine via malicious\r\nRTF documents. Malicious RTF documents are delivered via phishing emails.This new backdoor communicates\r\nwith the C2 server through RPC and has the ability to execute files or commands on the controlled machine, while\r\nit can also receive files and commands from the C2 server and execute them.\r\nIt has been confirmed that the backdoor discovered by Kaspersky is the same backdoor that we first captured\r\n“ORPCBackdoor.” Considering the differences in attribution, it is known that th Knownsec 404 Advanced Threat\r\nIntelligence team has used a new number for the “new” organization using “ORPCBackdoor” : APT-K-47, the\r\nChinese name is “Mysterious elephant”.\r\nIn this paper, we will also further expand the line analysis from the sample overall attack chain and the remote\r\nsensing mapping big data of Knownsec analysis, and we also observe that the target of the organization’s attack in\r\naddition to Pakistan, there are traces of other countries.\r\nAt the same time, after backtracking analysis, we found that the earliest attack activities of the organization should\r\nstart around March 2022. This article will publish the details of the APT group’s attacks and the relevant IOCS.\r\n1. Overall attack chain\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 1 of 20\n\nFigure 1\r\nIn an attack on APT-K01, the attacker sent a CHM file to the target through a phishing email, using the “Russia-China Committee for Friendship, Peace and Development” as the bait, the relevant bait content is shown below.\r\nPress enter or click to view image in full size\r\nFigure 2\r\nFrom the content of the phishing file, it can be seen that the attack target of the organization is not only for\r\nPakistan as described by Kaspersky, but according to the remote sensing mapping big data of Knownsec, the\r\ntarget of the attack is multiple countries.\r\nThe malicious part of the CHM file is doc.html, and there is an OBJECT object in the file, which is used to create\r\na scheduled task that runs every 15 minutes. The task is used to download and execute the second-order malicious\r\nprogram stored in the second-order server. The second-order program is the MSI file.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 2 of 20\n\nFigure 3\r\nThe second-order MSI file contains a white and black file, the black file is the ORPCBackdoor mentioned in the\r\nKaspersky report, and the white file is the Microsoft official service file, which is used to launch the black file\r\n(OLMAPI32.dll).\r\nPress enter or click to view image in full size\r\nFigure 4\r\n2. Homology analysis\r\nThe ORPCBackdoor attack chain overlaps with the tactics used by the Indian direction, BITTER’s tactics and\r\ncode structure are particularly similar. The relevant comparison is as follows:\r\nThe CHM file structure used by BITTER in past attacks as follows:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 3 of 20\n\nFigure 5\r\nThe CHM file structure of the initial stage about ORPCBackdoor captured this time is as follows:\r\nPress enter or click to view image in full size\r\nFigure 6\r\nCompare the two doc.htm files, here is BITTER’s doc.htm file:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 4 of 20\n\nFigure 7\r\nHere is the doc.htm file in ORPC’s CHM file:\r\nPress enter or click to view image in full size\r\nFigure 8\r\nCHM files are almost the same in terms of code logic, functions and evasion techniques, the subsequent second-order files downloaded are msi files.\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 5 of 20\n\nThe ORPCBackdoor attack chain overlaps with the tactics used in the South Asia direction.Analysis found that the\r\nTrojan has been found in the network assets used by the confucious organization, and the same Trojan has been\r\nfound on the assets used by the BITTER organization.\r\nAPT organizations in South Asia have always cross-used assets. We even found that some special strings were\r\nreused in the confucious and Patchwork organizations, making it difficult to completely separate an organization\r\nfrom other organizations. At present, the main distinction is based on the difference between the entire Trojan\r\nattack chain and the difference between some network assets.\r\nBased on our analysis of other South Asian organizations Sidewinder, Patchwork, cnc, confucious, BITTER, and\r\nAPT-K-47, we can see that these hacker organizations may be different groups under a unified organization, and\r\nthere are many overlapping situations in terms of attack tools, attack targets, and network assets.\r\n3. ORPCBackdoor Description\r\n3.1 Overview of sample functions\r\nORPCBackdoor has a total of 17 export functions, and the relevant export function names are as follows:\r\nGetFileVersionInfoA\r\nGetFileVersionInfoByHandle\r\nGetFileVersionInfoExW\r\nGetFileVersionInfoSizeA\r\nGetFileVersionInfoSizeExW\r\nGetFileVersionInfoSizeW\r\nGetFileVersionInfoW\r\nVerFindFileA\r\nVerFindFileW\r\nVerInstallFileA\r\nVerInstallFileW\r\nVerLanguageNameA\r\nVerLanguageNameW\r\nVerQueryValueA\r\nVerQueryValueW\r\nGetFileVersionInfoByHandleEx(void)\r\nDllEntryPoint\r\nFrom the export function, ORPCBackdoor uses the version.dll template. version.dll is a dynamic link library file\r\nof Windows operating system, which is mainly used to manage the version information of executable files or DLL\r\nfiles.\r\nTherefore, we have reason to guess that ORPCBackdoor uses DLL hijacking technology and adopts white-and-black mode to achieve certain no-kill effect. The call file found this time is MicrosoftServices, but because there\r\nare many calls to this DLL, the BITTER organization may use other white files to call in the future.\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 6 of 20\n\nThere are two malicious entries of ORPCBackdoor, the first is GetFileVersionInfoBy- HandleEx(void) export\r\nfunction, second place is DllEntryPoint.\r\nORPCBackdoor can be divided into two modules from the design idea, the two modules are initialization module\r\nand interaction module, the whole hard-coded characters are saved by HEX string. Such as “SYSTEM\r\nINFORMATION \\ n” characters in ORPCBackdoor save characters for “53595354454\r\nd20494e464f524d4154494f4e205c6e”, this way can be slightly hinder the detection and analysis, etc.\r\nBased on the features supported by ORPCBackdoor, we can infer that the backdoor is at the front end of the\r\ninfection chain and is used to provide a basic environment for follow-up actions.\r\n3.1.1 Sample function overview\r\nThe initialization module contains multiple function modules. Multiple modules cooperate to complete the\r\npreliminary work in interaction with the server, including character parsing, first run test, persistence, local\r\ninformation collection, C2 online detection, etc., each part is detailed as follows:\r\n1. Character initialization\r\nAs mentioned earlier in this article, the key characters built into ORPCBackdoor are saved in the way of\r\nTOHEXStr, and ORPCBackdoor will decode the characters to be used during operation. According to the context\r\ncall in the backdoor, the encrypted character also contains the command issued by the server.\r\n2. persistence\r\nORPCBackdoor determines whether the file exists to prevent multiple persistent creation. Before persistent\r\ncreation, ORPCBackdoor determines whether the ts.dat file exists in the same path. If the file does not exist,\r\nORPCBackdoor will create persistence. The TaskScheduler CLSID is invoked by COM,which name is Microsoft\r\nUpdate. After the task is created, the ts.dat file is created.\r\n3. Initial information collection\r\nThe initial information includes the process list, system information, and user information. In addition to the basic\r\ninformation, the system also collects OS Build Type, Registered Owner, and Install Date.\r\n4.Interactive initialization\r\nThe interaction initialization is similar to the persistence module. It also prevents multi-process interaction with\r\nthe server by judging whether the file exists. The judging logic is to determine whether the $cache.dat file exists in\r\nthe ProgramData path; if the file exists, the connection with the server will not be established. Otherwise, for the\r\ninitial RPC call, ProtSeq uses ncacn_ip_tcp. If no data is returned by the server after attempting the RPC call, the\r\nattempt will continue after 5 minutes of sleep, and enter the interaction module when the server returns the\r\ncommand.\r\n3.1.2 Interactive module description\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 7 of 20\n\nThe interactive module is similar to the common command processing logic, mainly through the multi-layer if-else to analyze the server-side execution and complete the specified function. The function supported by\r\nORPCBackdoor is not much, mainly for the Get-Shell, and the rest includes some file processing, upload,\r\ndownload and other operations.\r\nORPCBackdoor related execution and corresponding functions are described as follows:\r\n1. ID\r\nThe function corresponding to the ID instruction is relatively rare, and its function is to send a section of data with\r\nthe size of 0xF, that is 15 digits (eg: 818040900140701), stored in the local %ProgramData%/$tmp.txt file.\r\nAccording to this instruction and the previous code flow did not appear ClientID related generation operations, we\r\nguessed that this step by giving victim ID to distinguish between different victims.\r\n2.INF\r\nThe INF directive is used to upload detailed native information collected in the Initialization module — Initial\r\nInformation Collection submodule.\r\n3.DWN\r\nThe module corresponding to DWN instruction belongs to a well-designed functional module whose function is to\r\ndownload files. According to the analysis of the code, the design of DWN functional module is relatively robust,\r\nand it supports the feedback of the success or error of each step to the server side, so as to complete the\r\nestablished target process. Since ORPCBackdoor belongs to the first part of the infection chain, the stability of\r\nthis module is extremely important.\r\nGet Knownsec 404 team’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n4.RUN\r\nThe RUN command is used to execute the specified file and start the file using WinExecAPI.\r\n5.DLY\r\nThe DLY command is a hibernate command that runs again after hibernating the server for a specified period of\r\ntime.\r\n6.CMD\r\nCMD command is the core command of ORPCBackdoor and functions as GetShell.,Which processing logic is\r\nparses the Shell command issued by the server, obtains the Shell command issued by the server and splices the\r\ncommand. exe /c | command issued by the server |\u003e\u003e c:\\Users\\Public\\cr.dat.\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 8 of 20\n\nAfter the execution is completed, the contents of cr.dat are sent to the server, and then the cr.dat file is deleted to\r\nachieve the interaction effect with the Shell of the server.\r\nDuring the analysis, we learned that the server first issues the systeminfo command to get the system information\r\nagain, followed by the second command whoami.\r\nThrough the overall analysis of ORPCBackdoor, we can came to the fconclusions: ORPCBackdoor is a\r\nrelatively simple and mature design of the backdoor program.\r\nAbandon the commonly used Socket call and use RPC call, whether it is the processing of its own characters, or\r\nthe version.dll hijacking template, domain name, program, description and other overall consistency used to avoid\r\nterminal detection, we can see that this attack activity can be calculated as a well-designed and planned\r\naction. At the same time, in order to prevent its own exposure, it also used a new attack weapon and changed its\r\nusual TTP.\r\n3.2 Description of sample details\r\nFrom the original information related to ORPCBackdoor, we can see that the earliest samples were created in\r\nFebruary and March 2022:\r\nPress enter or click to view image in full size\r\nFigure 9\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 9 of 20\n\nFigure 10\r\nPress enter or click to view image in full size\r\nFigure 11:Normal version.dll\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 10 of 20\n\nFigure 12:ORPCBackdoor\r\nPress enter or click to view image in full size\r\nFigure 13: Determine whether to proceed with the persistence process by looking at the file\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 11 of 20\n\nFigure 14: Collection of information about the processes currently running on the host\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 12 of 20\n\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 13 of 20\n\nFigure 15–18: Extremely detailed collection of system information\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 14 of 20\n\nFigure 19: Server instruction initialization\r\nPress enter or click to view image in full size\r\nFigure 20: RPC initialization\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 15 of 20\n\nFigure 21: Generating a ClienID\r\nFigure 22: The generated ClienID\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 16 of 20\n\nFigure 23: Upload system information collected earlier\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 17 of 20\n\nFigure 24: File download module\r\nPress enter or click to view image in full size\r\nFigure 25: RUN instruction — Runs the specified program\r\nPress enter or click to view image in full size\r\nFigure 26: Hibernation module\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 18 of 20\n\nFigure 27: Core module -Shell module\r\nPress enter or click to view image in full size\r\nFigure 28: Command 1 issued by the server\r\nFigure 29: Command 2 issued by the server\r\nPress enter or click to view image in full size\r\nFigure 30: Sending and receiving server-side messages through the NdrClientCall2API\r\n4.IOCs\r\nORPCBackdoor\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 19 of 20\n\n8AEB7DD31C764B0CF08B38030A73AC1D22B29522FBCF512E0D24544B3D01D8B3\r\n88ecbe38dbafde7f423eb2feb6dc4a74\r\nf4cea74c8a7f850dadf1e5133ba5e396\r\nC\u0026C\r\nmsdata.ddns.net\r\noutlook-services.ddns.net\r\nmsoutllook.ddns[.]net\r\noutlook-updates.ddns[.]net\r\noutlook-services.ddns[.]net\r\n108.62.118.125:443\r\nmsdocs.ddns.net\r\n5.Reference\r\n1. APT trends report Q2 2023\r\n2. Bitter’s new assault weapon analysis — ORPCBackdoor weapon\r\n3. PatchWork’s new assault Weapons report — EyeShell Weapons Disclosure\r\nSource: https://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nhttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477" ], "report_names": [ "apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477" ], "threat_actors": [ { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "f5339d7c-473e-4b49-b44c-189b4f72b585", "created_at": "2024-12-28T02:01:54.8259Z", "updated_at": "2026-04-10T02:00:04.778045Z", "deleted_at": null, "main_name": "Mysterious Elephant", "aliases": [ "APT-K-47" ], "source_name": "ETDA:Mysterious Elephant", "tools": [ "ORPCBackdoor" ], "source_id": "ETDA", "reports": null }, { "id": "053574fc-5d11-4a41-9741-057e111c7a39", "created_at": "2023-11-08T02:00:07.157454Z", "updated_at": "2026-04-10T02:00:03.429471Z", "deleted_at": null, "main_name": "Confucious", "aliases": [], "source_name": "MISPGALAXY:Confucious", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434080, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2b194fbe4e9029637157c680d39564389dafb939.pdf", "text": "https://archive.orkl.eu/2b194fbe4e9029637157c680d39564389dafb939.txt", "img": "https://archive.orkl.eu/2b194fbe4e9029637157c680d39564389dafb939.jpg" } }