{ "id": "c6fc5bbf-f004-4a5b-a675-5de6df78bfbf", "created_at": "2026-04-06T00:17:05.864333Z", "updated_at": "2026-04-10T13:12:11.283034Z", "deleted_at": null, "sha1_hash": "38b7c38399ec535df6096d56fe906c0c031b3f79", "title": "New Threat Actor Group DarkHydrus Targets Middle East Government", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 298797, "plain_text": "New Threat Actor Group DarkHydrus Targets Middle East\r\nGovernment\r\nBy Robert Falcone, Bryan Lee, Tom Lancaster\r\nPublished: 2018-07-27 · Archived: 2026-04-05 18:54:45 UTC\r\nIn July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in\r\nthe Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on\r\nour telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in\r\noperation with their current playbook since early 2016. This attack diverged from previous attacks we observed\r\nfrom this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR\r\narchive attachments that contained malicious Excel Web Query files (.iqy).\r\n.iqy files are simple text files containing a URL which are opened by default by Excel. Once opened, Excel will\r\nretrieve whatever object is at the URL inside the file. These files have most recently been found in use by\r\ncriminals to deliver commodity RATs such as Flawed Ammyy. In DarkHydrus's case, the preferred payload\r\nretrieved in their previous attacks were exclusively open-source legitimate tools which they abuse for malicious\r\npurposes, such as Meterpreter and Cobalt Strike. However, in this instance, it appears that this group used a\r\ncustom PowerShell based payload that we call RogueRobin.\r\nAttack Analysis\r\nThe actors sent the spear-phishing emails between July 15 and 16. Each of the emails had a password protected\r\nRAR archive attached named credential.rar. The body of the message, seen in Figure 1 was written in Arabic and\r\nasks the recipient to review the document within the archive. The message also includes the password 123456 that\r\nis required to open the RAR archive. The credential.rar archive contained a malicious .iqy file named\r\ncredential.iqy.\r\nFigure 1 Message body in delivery email\r\nGoogle Translate renders the Arabic message as:\r\nhttps://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/\r\nPage 1 of 9\n\nHi\r\nPlease review and review the attached file\r\nGratefully\r\nPassword: 123456\r\nPayload Analysis\r\nThe credential.iqy is an .iqy file (SHA256:\r\ncc1966eff7bed11c1faada0bb0ed0c8715404abd936cfa816cef61863a0c1dd6) that contains nothing more than the\r\nfollowing text string:\r\nhxxp://micrrosoft[.]net/releasenotes.txt\r\nMicrosoft Excel natively opens .iqy files and will use the URL in the file to obtain remote data to include in the\r\nspreadsheets. By default, Excel does not allow the download of data from the remote server, but will ask for the\r\nuser’s consent by presenting the dialog box in Figure 2:\r\nFigure 2 Excel security notice for .iqy files\r\nBy enabling this data connection, the user allows Excel to obtain content from the URL in the .iqy file. The\r\ncontents within the releasenotes.txt file (SHA256:\r\nbf925f340920111b385078f3785f486fff1096fd0847b993892ff1ee3580fa9d)  contains the following formula that\r\nExcel will save to the “A0” cell in the worksheet:\r\nThe formula uses a command prompt to run a PowerShell script that attempts to download and execute a second\r\nPowerShell script hosted at the URL hxxp://micrrosoft[.]net/winupdate.ps1. By default, Excel will not launch the\r\nhttps://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/\r\nPage 2 of 9\n\ncommand prompt application, but will do so with the user’s consent via the following dialog box in Figure 3:\r\nFigure 3 Confirmation of access of remote data\r\nThe winupdate.ps1 script (SHA256:\r\n36862f654c3356d2177b5d35a410c78ff9803d1d7d20da0b82e3d69d640e856e) is the main payload of this attack\r\nthat we call RogueRobin. Its developer used the open source Invoke-Obfuscation tool to obfuscate this\r\nPowerShell script, specifically using the COMPRESS technique offered by Invoke-Obfuscation. The\r\ndecompressed PowerShell payload has some similarities to the PowerShell Empire agent, such as the use of a\r\njitter value and commands referred to by job ID, but we do not have conclusive evidence that the author of this\r\ntool used Empire as a basis for their tool.\r\nBefore carrying out any of its functionality the payload checks to see if it is executing in a sandbox. The payload\r\nuses WMI queries and checks running processes for evidence that the script may be executing within an analysis\r\nenvironment. The specific sandbox checks include:\r\nUsing WMI to check BIOS version (SMBIOSBIOSVERSION) for VBOX, bochs, qemu, virtualbox and\r\nvm.\r\nUsing WMI to check the BIOS manufacturer for XEN.\r\nUsing WMI to check if the total physical memory is less than 2900000000.\r\nUsing WMI to check if the number of CPU cores is less than or equal to 1.\r\nEnumerates running processes for \"Wireshark\" and \"Sysinternals\".\r\nIf the payload determines it is not running in a sandbox, it will attempt to install itself to the system to persistently\r\nexecute. To install the payload, the script will create a file %APPDATA%\\OneDrive.bat and save the following\r\nstring to it:\r\npowershell.exe -WindowStyle Hidden -exec bypass  -File \"%APPDATA%\\OneDrive.ps1\"\r\nThe script then writes a modified copy of itself to %APPDATA%\\OneDrive.ps1, with the code that performs this\r\ninstallation omitted. To persistently execute when the system starts, the script will create the following shortcut in\r\nthe Windows startup folder, which will run the OneDrive.ps1 script each time the user logs in:\r\n$env:SystemDrive\\Users\\$env:USERNAME\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\OneDrive.lnk\r\nThe payload itself communicates with its configured command and control (C2) servers using a custom DNS\r\ntunneling protocol. The domains configured within this payload are:\r\nAnyconnect[.]stream\r\nBigip[.]stream\r\nFortiweb[.]download\r\nKaspersky[.]science\r\nmicrotik[.]stream\r\nhttps://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/\r\nPage 3 of 9\n\nowa365[.]bid\r\nsymanteclive[.]download\r\nwindowsdefender[.]win\r\nThe DNS tunneling protocol can use multiple different DNS query types to interact with the C2 server. The\r\npayload has a function it calls early on that tests to see which DNS query types are able to successfully reach the\r\nC2 server.  It iterates through a list of types and the first DNS type to receive a response from the C2 server will be\r\nused for all communications between the payload and the C2 server, which are in the following order (editor's\r\nnote: AC is not a  DNS record type but is a mode where the trojan will perform a request for an A record requiring\r\nac as a subdomain):\r\nA\r\nAAAA\r\nAC - (see note above)\r\nCNAME\r\nMX\r\nTXT\r\nSRV\r\nSOA\r\nThe payload uses the built-in Windows nslookup application with specific parameters and specially crafted\r\nsubdomains to communicate with the C2. To establish communications with the C2, the payload will first get a\r\nsystem specific identifier issued by the C2 server. The initial DNS query sent by the payload to obtain the system\r\nspecific identifier uses the following structure, which includes the current process identifier (PID) as the\r\nsubdomain of the C2 domain:\r\n\u003ccurrent process id\u003e.\u003cc2 domain\u003e\r\nThe C2 server will provide the system specific identifier within the answer portion of the DNS response. Table 1\r\nexplains how the payload obtains the system identifier from the C2 server’s answer depending on the query type:\r\nDNS Type Description\r\nA\r\nUses the regular expression '(\\d+)\\-.$Global:domain' to get the decimal\r\nvalue from the answer\r\nAAAA\r\nThe payload will split the IPv6 answer on \":\" take the [0] and [1] digits\r\ntreat them as a hexadecimal value to obtain an integer.\r\nAC,CNAME,MX,TXT,SRV,SOA\r\nUses the regular expression 'Address:\\s+(\\d+.\\d+.\\d+.\\d+)' and uses the\r\ndecimal value in the first octet of that IPv4 address\r\nTable 1 Breakdown of query types\r\nOnce the system identifier is obtained, the payload gathers system specific information and sends it to the C2\r\nserver. The information gathered is added to a string in the following structure:\r\n\u003cIP address\u003e|\u003ccomputer name\u003e|\u003cdomain\u003e|\u003cusername\u003e|\u003cisAdmin flag\u003e|\u003chasGarbage flag from config\u003e|\r\nhttps://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/\r\nPage 4 of 9\n\n\u003chasStartup flag from config\u003e|\u003c\"hybrid\" mode flag from config\u003e|\u003csleep interval from config\u003e|\u003cjitter value from\r\nconfig\u003e\r\nThe payload will base64 encode this string and use its DNS tunneling protocol to transmit the data to the C2. The\r\ntunneling protocol transmits data by sending a series of DNS queries with the data within the subdomain of the C2\r\ndomain. The structure of each of these outbound DNS requests is as follows:\r\n\u003csystem ID\u003e-\u003cjob ID\u003e-\u003coffset in data\u003e\u003cmore data flag\u003e-\u003crandom length of base64 encoded data between 30 and\r\n42 characters\u003e.\u003cc2 domain\u003e\r\nThe payload will look for different responses to these outbound queries depending on the type of DNS request that\r\nthe payload uses to communicate with the C2. The following shows the specific IP addresses or strings used by\r\nthe C2 to transmit a success or cancel message depending on the type of DNS query used for C2 communications:\r\nDNS Type Successful Cancel\r\nA,AC 1.1.1.\\d+ 1.2.9.\\d+\r\nAAAA 2a00:: 2200::\r\nCNAME,MX,TXT,SRV,SOA ok cancel\r\nAfter providing system specific information, the payload will Interact with the C2 server to obtain commands,\r\nwhich the payload refers to as jobs. The C2 will provide a string that the payload will use to determine the\r\ncommand to execute based on its command handler. To obtain strings to treat as commands, the payload will issue\r\na series of DNS queries to resolve domains with the following structure:\r\n\u003csystem id\u003e-\u003cjob ID\u003e-\u003coffset data specific to job\u003e.\u003cc2 domain\u003e\r\nThe C2 server will provide responses to these queries that contain answers in IPv4 or IPv6 addresses depending\r\non the type of DNS query the payload uses to communicate with its C2 server. The payload will use a specific\r\nregular expressions dependent on the type of DNS query was used to obtain the command string, which can be\r\nseen in Table 2:\r\nDNS TYPE Regex Pattern\r\nA Address:\\s+(\\d+.\\d+.\\d+.\\d+)\r\nAC \\d+-\\d+-(\\d+)-([\\w\\d+/=]+)-\\d-.ac.$Global:domain\r\nAAAA Address:\\s+(([a-fA-F0-9]{0,4}:{1,4}[\\w|:]+){1,8})\r\nCNAME,MX,TXT,SRV,SOA (\\d+)-([\\w\\d/=+]{0,})\\-.$Global:domain\r\nTable 2 Types of responses provided by C2\r\nThese regular expressions are used to build strings that the payload will then subject to its command handler. We\r\nanalyzed the payload to determine the commands available, which provide a variety of remote administration\r\ncapabilities. The command handle looks for the following command strings in Table 3:\r\nCommand Description\r\nhttps://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/\r\nPage 5 of 9\n\n$fileDownload Uploads the contents of a specified file to C2\r\n$importModule Adds a specified PowerShell module to the current script\r\n$screenshot\r\nExecutes the contents of the command, which should be the string '$screenshot'. We are\r\nnot sure if this works, but the command name would suggest it is meant to take a\r\nscreenshot\r\n$command Runs a PowerShell command and sends the output to the C2\r\nslp:\\d+ Sets the sleep interval between C2 beacons\r\n$testmode\r\nIssues DNS queries of A, AAAA, AC, CNAME, MX, TXT, SRV and SOA types to the C2\r\nservers attempting to determine which DNS query types were successful. This command\r\nwill automatically set the DNS type to use for actual C2\r\n$showconfig Uploads the current configuration of the payload to the C2\r\nslpx:\\d+ Sets the sleep interval between outbound DNS requests\r\n$fileUpload Downloads contents from the C2 server and writes them to a specified file\r\nTable 3 Commands available to payload\r\nCampaign Analysis\r\nThe following domains are configured within the payload to be used as C2s. Thematically, each domain appeared\r\nto be attempting to spoof the legitimate domain of an existing technology provider with an emphasis on security\r\nvendors.\r\nAnyconnect[.]stream\r\nBigip[.]stream\r\nFortiweb[.]download\r\nKaspersky[.]science\r\nmicrotik[.]stream\r\nowa365[.]bid\r\nsymanteclive[.]download\r\nwindowsdefender[.]win\r\nThe listed C2 servers all resolved to IPs belonging to a service provider in China at 1.2.9.0/24, which is the IP\r\naddress used by the C2 server to send a cancel communications message to the end system. These IPs provided\r\ninsufficient data for additional investigations. However, each of the listed domains used ns102.kaspersky[.]host\r\nand ns103.kaspersky[.]host as their name servers. Examination of ns102/ns103.kaspersky[.]host revealed that the\r\nsecond level domain kaspersky[.]host was illegitimate and not owned by the legitimate Kaspersky Labs. Passive\r\nDNS resolution of kaspersky[.]host revealed two IPs of interest, 107.175.150[.]113 and 94.130.88[.]9.\r\n94.130.88[.]9 showed passive DNS resolutions of two additional domains, 0utlook[.]bid and hotmai1[.]com. It is\r\nunknown what these domains may have been used for but based on the similarity of domain spoofing and sharing\r\nhttps://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/\r\nPage 6 of 9\n\nan IP, they are likely part of the adversary infrastructure. 107.175.150[.]113 showed one other domain resolution,\r\n\u003credacted\u003e.0utl00k[.]net. We were able to link this specific domain as a C2 for another weaponized document\r\n(SHA256: d393349a4ad00902e3d415b622cf27987a0170a786ca3a1f991a521bff645318) containing a PowerShell\r\nscript very similar to the one found in this attack. Examining the second level domain of 0utl00k[.]net revealed\r\nanother IP of interest, 195.154.41[.]150. This IP contained two other domain resolutions following the vendor\r\nspoofing theme: allexa[.]net and cisc0[.]net. Expanding upon cisc0[.]net, we discovered several weaponized\r\ndocuments and payloads using this domain as a C2, from mid to late 2017.\r\nOpen source intelligence provided by ClearSky Security indicates the domain cisc0[.]net is possibly related to the\r\nadversary group known as Copy Kittens. While there are significant tactical overlaps such as similarity of\r\ntechniques used as well as victimology, we were unable to uncover significant evidence of relational overlaps.\r\nFurther information regarding the Copy Kittens adversary can be found in a paper titled Operation Wilted Tulip.\r\nOur own dataset provides a solid grouping of the DarkHydrus group, with significant overlaps in C2 infrastructure\r\nas well as similarities in weaponized binaries. C2 domains were also left online and reused over an extended\r\namount of time, such as the domain micrrosoft[.]net which was used in this attack in addition to two other\r\npayloads in January 2017 and July 2017.\r\nStudying the other samples, we have attributed to DarkHydrus, we are able to ascertain that this adversary has\r\nmainly leveraged weaponized Microsoft Office documents using tools available freely or from open source\r\nrepositories such as Meterpreter, Mimikatz, PowerShellEmpire, Veil, and CobaltStrike. The documents generally\r\ndo not contain malicious code and instead are weaponized to retrieve remote files containing malicious code on\r\nexecution. Due to the modular nature of the delivery document, available data for analysis for these attacks are\r\ndependent upon the operational nature of the C2 server at the time of execution.\r\nConclusion\r\nThe DarkHydrus group carried out an attack campaign on at least one government agency in the Middle East\r\nusing malicious .iqy files. The .iqy files take advantage of Excel's willingness to download and include the\r\ncontents from a remote server in a spreadsheet. DarkHydrus leveraged this obscure file format to run a command\r\nto ultimately install a PowerShell scripts to gain backdoor access to the system. The PowerShell backdoor\r\ndelivered in this current attack may have been custom developed by the threat group, however, it is possible that\r\nDarkHydrus pieced together this tool by using code from legitimate open source tools.\r\nPalo Alto Networks customers are protected by:\r\nThe micrrosoft[.]net domain has had a malicious classification since March 3, 2017.\r\nAll C2 domains associated with this payload have a command and control classification.\r\nTraps provides endpoint protection, as it can block Excel from creating a command prompt process.\r\nAutoFocus customers may learn more from the DarkHydrus tag\r\nIOC\r\nRelated SHA256 Hashes\r\nPayloads\r\ncec36e8ed65ac6f250c05b4a17c09f58bb80c19b73169aaf40fa15c8d3a9a6a1\r\nac7f9c536153780ccbec949f23b86f3d16e3105a5f14bb667df752aa815b0dc4\r\na547a02eb4fcb8f446da9b50838503de0d46f9bb2fd197c9ff63021243ea6d88\r\nd428d79f58425d831c2ee0a73f04749715e8c4dd30ccd81d92fe17485e6dfcda\r\nhttps://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/\r\nPage 7 of 9\n\ndd2625388bb2d2b02b6c10d4ee78f68a918b25ddd712a0862bcf92fa64284ffa\r\nb2571e3b4afbce56da8faa726b726eb465f2e5e5ed74cf3b172b5dd80460ad81\r\nc8b3d4b6acce6b6655e17255ef7a214651b7fc4e43f9964df24556343393a1a3\r\nce84b3c7986e6a48ca3171e703e7083e769e9ced1bbdd7edf8f3eab7ce20fd00\r\n99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c\r\nDelivery documents\r\nd393349a4ad00902e3d415b622cf27987a0170a786ca3a1f991a521bff645318\r\n8063c3f134f4413b793dfc05f035b6480aa1636996e8ac4b94646292a5f87fde\r\n9eac37a5c675cd1750cd50b01fc05085ce0092a19ba97026292a60b11b45bf49\r\ncf9b2b40ac621aaf3241ff570bd7a238f6402102c29e4fbba3c5ce0cb8bc25f9\r\n0a3d5b2a8ed60e0d96d5f0d9d6e00cd6ab882863afbb951f10c395a3d991fbc1\r\n0b1d5e17443f0896c959d22fa15dadcae5ab083a35b3ff6cb48c7f967649ec82\r\n870c8b29be2b596cc2e33045ec48c80251e668abd736cef9c5449df16cf2d3b8\r\nff0b59f23630f4a854448b82f1f0cd66bc4b1124a3f49f0aecaca28309673cb0\r\n01fd7992aa71f4dca3a3766c438fbabe9aea78ca5812ab75b5371b48bd2625e2\r\n6dcb3492a45a08127f9816a1b9e195de2bb7e0731c4e7168392d0e8068adae7a\r\n47b8ad55b66cdcd78d972d6df5338b2e32c91af0a666531baf1621d2786e7870\r\n776c056096f0e73898723c0807269bc299ae3bbd8e9542f0a1cbba0fd3470cb4\r\ncf7863e023475d695c6f72c471d314b8b1781c6e9087ff4d70118b30205da5f0\r\ne88045931b9d99511ce71cc94f2e3d1159581e5eb26d4e05146749e1620dc678\r\n26e641a9149ff86759c317b57229f59ac48c5968846813cafb3c4e87c774e245\r\nb5cfaac25d87a6e8ebabc918facce491788863f120371c9d00009d78b6a8c350\r\nad3fd1571277c7ce93dfbd58cee3b3bec84eeaf6bb29a279ecb6a656028f771c\r\nRelated Domains\r\nmaccaffe[.]com\r\ncisc0[.]net\r\n0utl00k[.]net\r\nmsdncss[.]com\r\n0ffice[.]com\r\n0ffiice[.]com\r\nmicrrosoft[.]net\r\nanyconnect[.]stream\r\nbigip[.]stream\r\nfortiweb[.]download\r\nkaspersky[.]science\r\nmicrotik[.]stream\r\nowa365[.]bid\r\nsymanteclive[.]download\r\nwindowsdefender[.]win\r\nallexa[.]net\r\nkaspersky[.]host\r\nhttps://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/\r\nPage 8 of 9\n\nhotmai1[.]com\r\n0utlook[.]bid\r\nSource: https://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/\r\nhttps://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/\r\nPage 9 of 9\n\nsecond level domain DNS resolution kaspersky[.]host of kaspersky[.]host was illegitimate revealed two and not IPs of interest, owned by 107.175.150[.]113 the legitimate and Kaspersky Labs. 94.130.88[.]9. Passive\n94.130.88[.]9 showed passive DNS resolutions of two additional domains, 0utlook[.]bid and hotmai1[.]com. It is\nunknown what these domains may have been used for but based on the similarity of domain spoofing and sharing\n Page 6 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" ], "report_names": [ "unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government" ], "threat_actors": [ { "id": "6efb28db-4d91-46cb-8ab7-fe9e8449ccfc", "created_at": "2023-01-06T13:46:38.772861Z", "updated_at": "2026-04-10T02:00:03.095095Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "LazyMeerkat", "G0079", "Obscure Serpens" ], "source_name": "MISPGALAXY:DarkHydrus", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b04780e-7b64-4e62-b776-c6749ff7dec8", "created_at": "2022-10-25T16:07:23.531741Z", "updated_at": "2026-04-10T02:00:04.643562Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "ATK 77", "DarkHydrus", "G0079", "LazyMeerkat", "Obscure Serpens" ], "source_name": "ETDA:DarkHydrus", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Mimikatz", "Phishery", "RogueRobin", "RogueRobinNET", "Trojan.Phisherly", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4fe925e8-95e5-4a63-9f96-4d0f9bedac08", "created_at": "2022-10-25T15:50:23.469077Z", "updated_at": "2026-04-10T02:00:05.384299Z", "deleted_at": null, "main_name": "DarkHydrus", "aliases": [ "DarkHydrus" ], "source_name": "MITRE:DarkHydrus", "tools": [ "Mimikatz", "RogueRobin", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "467c5e72-55a6-40a9-9b73-bb764889c0a5", "created_at": "2022-10-25T16:07:23.486532Z", "updated_at": "2026-04-10T02:00:04.628477Z", "deleted_at": null, "main_name": "CopyKittens", "aliases": [ "CopyKittens", "G0052", "Operation Wilted Tulip", "Slayer Kitten" ], "source_name": "ETDA:CopyKittens", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "EmPyre", "EmpireProject", "Matryoshka", "Matryoshka RAT", "PowerShell Empire", "TDTESS", "Vminst", "ZPP", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434625, "ts_updated_at": 1775826731, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/38b7c38399ec535df6096d56fe906c0c031b3f79.pdf", "text": "https://archive.orkl.eu/38b7c38399ec535df6096d56fe906c0c031b3f79.txt", "img": "https://archive.orkl.eu/38b7c38399ec535df6096d56fe906c0c031b3f79.jpg" } }