{ "id": "5feff117-84a1-472b-8b0d-a846b84fb26a", "created_at": "2026-04-06T00:19:43.086856Z", "updated_at": "2026-04-10T03:36:36.914548Z", "deleted_at": null, "sha1_hash": "3b20141827d501a83ec5e11303887bf5ceb32b41", "title": "TA505: Malware Activity \u0026 New FlawedGrace Variant | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2215550, "plain_text": "TA505: Malware Activity \u0026 New FlawedGrace Variant |\r\nProofpoint US\r\nBy Zydeca Cass, Axel F, Crista Giering, Matthew Mesa, Georgi Mladenov, and Brandon Murphy\r\nPublished: 2021-10-15 · Archived: 2026-04-05 19:39:51 UTC\r\nKey Takeaways \r\nThe prominent TA505 has returned to distributing large volumes of malicious emails affecting most\r\nindustries.\r\nNew tools include a KiXtart Loader, the MirrorBlast loader, an updated FlawedGrace variant, and updated\r\nmalicious Excel attachments.\r\nOne of the region-specific campaigns targeted German-speaking countries, notably Germany and Austria.\r\nThe campaigns share many similarities with TA505 campaigns from 2019 and 2020.\r\nOverview \r\nSince early September 2021, Proofpoint researchers are tracking renewed malware campaigns by the financially\r\ndriven TA505. The campaigns, which are distributed across a wide range of industries, started with low volume\r\nemail waves that ramped up in late September, resulting in tens to hundreds of thousands of emails.\r\nMany of the campaigns, especially the large volume ones, strongly resemble the historic TA505 activity from\r\n2019 and 2020. The commonalities include similar domain naming conventions, email lures, Excel file lures, and\r\nthe delivery of the FlawedGrace remote access trojan (RAT). The campaigns also contain some noteworthy, new\r\ndevelopments, such as retooled intermediate loader stages scripted in Rebol and KiXtart, which are used instead\r\nof the previously popular Get2 downloader. The new downloaders perform similar functionality of reconnaissance\r\nand pulling in the next stages. Lastly, there is an updated version of FlawedGrace.\r\nEvolving Campaigns\r\nThe initial campaigns observed by Proofpoint in September 2021 were comparatively small in volume, several\r\nthousand emails per wave, and delivered malicious Excel attachments. In late September and in early October\r\n2021 this changed, and TA505 began sending higher email volumes, tens to hundreds of thousands, to more\r\nindustries. Additionally, the actor began leveraging both URL and attachment-based email campaigns and\r\ndiversified from targeting predominantly North America to also targeting German-speaking countries, including\r\nGermany and Austria.\r\nSeptember 2021 Campaigns\r\nThe early campaigns identified by Proofpoint in September 2021 were low volume compared to typical TA505\r\nactivity, with only several thousand messages per wave. TA505 used more specific lures that did not affect as\r\nmany industries as the more recent October 2021 campaigns. Example lures included legal, media release,\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 1 of 18\n\nsituation report, and health claim themes. These early campaigns also largely focused on targets in North America,\r\nsuch as United States and Canada.\r\nThe emails contained an Excel attachment that, when opened and macros enabled, would lead to the download\r\nand running of an MSI file. The MSI file in turn would execute an embedded Rebol loader, dubbed by Proofpoint\r\nas MirrorBlast.\r\nFigure 1. Email purporting to be from an insurance claims analyst, part of the September 28, 2021 campaign.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 2 of 18\n\nFigure 2. The insurance claim Excel attachment, part of the September 28, 2021 campaign.\r\nOctober 2021 Campaigns \r\nIn late September and throughout October 2021, Proofpoint observed a shift to familiar TA505 tactics, techniques,\r\nand procedures (TTPs) that are reminiscent of the actor’s 2019 and 2020 campaigns. An additional intermediary\r\nloader scripted in KiXtart was introduced, and the attack chain evolved to the following:\r\nAn email containing one of the below:\r\nExcel attachment\r\nHTML attachment that links to the download of an Excel file\r\nURL linking to a landing page that redirects to the download of an Excel file\r\nURL directly linking to an Excel file\r\nThe Excel file macros download and run an MSI file\r\nThe MSI file executes an embedded KiXtart loader\r\nThe KiXtart loader receives a command from the C\u0026C server to download another MSI file that executes\r\nMirrorBlast\r\nMirrorBlast then downloads additional Rebol script stagers\r\nThe follow-on Rebol stagers drop ReflectiveGnome\r\nReflectiveGnome in turn downloads more shellcode, that will then drop and detonate FlawedGrace\r\nThe email lures moved away from the detailed lures seen initially in this spate of campaigns. They became more\r\ngeneric, with subjects such as “SECUREFILE,” “SECURE DOCUMENT,” and “You’ve been sent a secure\r\nmessage.” Additionally, the themes and abused brands included COVID-19, DocuSign, insurance, invoices, and\r\nMicrosoft.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 3 of 18\n\nFigure 3. October 13, 2021 German-language email using a OneDrive shared file lure.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 4 of 18\n\nFigure 4. October 13, 2021 landing page abusing Microsoft and OneDrive branding.\r\nFigure 5. Excel file used in the October 13, 2021 campaign with a simple green lure.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 5 of 18\n\nSimilarities to Historic TA505 Activity\r\nThere is much similarity between the new and historic TA505 campaigns, starting with the emails.\r\nFigure 6. The OneDrive shared file email lure used in August 21, 2020 (left) strongly resembles a similar email\r\nfrom October 7, 2021 (right). Note the additional use of a COVID-19 theme in the recent campaign.\r\nThe landing pages in historic and current TA505 campaigns contain “IP Logger” links that likely enable TA505 to\r\ntrack the IP addresses of the machines downloading the malicious files. Additionally, TA505 is still mimicking file\r\nhosting services in the landing pages.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 6 of 18\n\nFigure 7. The landing page used in a November 21, 2019 campaign is shown on the left, while the landing page\r\nused in the October 7, 2021 campaign is shown on the right.\r\nWhile the Excel macros VBA code in the recent TA505 campaigns is different, some of the Excel graphic lures\r\nare similar or identical to those previously used by TA505.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 7 of 18\n\nFigure 8. The Excel sheet lure spoofing Microsoft logos remained identical from September 2, 2020 (Left) to\r\nOctober 6, 2021 (Right).\r\nDomain naming conventions: It is also notable that TA505 has historically used domains that mimic various file\r\nhosting service providers and structured them in formats with hyphen separated terms. The domains used in late\r\nSeptember 2021 and onward follow this structure.\r\nCode reuse: Proofpoint researchers found code reuse in parts of the delivery chain such as in multiple parts of the\r\nlanding page (see an example mentioned here).\r\nExcel Macros Analysis\r\nFor TA505’s 2021 campaigns to be successful, potential victims must enable macros after opening the malicious\r\nExcel files. The code responsible for downloading the next stage MSI file was typically lightly obfuscated with\r\nfiller characters, string reversing or similar simple functions and hidden in the document Comments, Title, in a\r\nCell or other locations.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 8 of 18\n\nFigure 9. Example Excel macros code.\r\nFigure 10. The parameters Subject and Comments are stored in the workbook properties.\r\nFigure 11. Deobfuscated downloader JScript. This pulls the next stage—an MSI file.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 9 of 18\n\nIntermediate Loaders \r\nTA505 now uses multiple intermediate loaders before the delivery of the FlawedGrace RAT. The new loader\r\nstages are coded in uncommon scripting languages—Rebol and KiXtart. They appear to serve the same purpose as\r\nGet2—a downloader that has been in use by TA505 since 2019 to deliver a variety of secondary payloads. The\r\nloaders perform minimal reconnaissance of an infected machine, such as collecting user domain and username\r\ninformation, and download further payloads.\r\nFigure 12. Attack paths ultimately leading to FlawedGrace.\r\nIn the attack chain, the Excel macros download the first MSI file, which executes the first loader, encoded in\r\nKiXtart scripting language. The KiXtart interpreter then receives a command from the C\u0026C server to download a\r\nfollow-on MSI package. Of note, KiXtart loader is not always part of the attack chain. The second MSI package\r\ncontains multiple files that may have different names, for example, AudioDriver.exe (the Rebol interpreter),\r\nAudioDriver.exe.lnk (command that informs .ico execution), and image.ico (the Rebol script). This Rebol script is\r\nthe second new downloader in the chain, that Proofpoint dubbed MirrorBlast.\r\nFigure 13. Example of MirrorBlast script, it may be slightly different in different campaigns.\r\nMirrorBlast in turn downloads additional Rebol script stagers that execute simple downloaders, dubbed by\r\nProofpoint as ReflectiveGnome. ReflectiveGnome in turn downloads more shellcode, that will then drop and\r\ndetonate FlawedGrace.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 10 of 18\n\nFigure 14. Rebol script downloaded by MirrorBlast that drops ReflectiveGnome loader (dwm-x64.exe / dwm-x32.exe).\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 11 of 18\n\nFigure 15. ReflectiveGnome loader which executes the next stage as a shellcode.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 12 of 18\n\nFigure 16. This shellcode drops and detonates an updated FlawedGrace.\r\nUpdated FlawedGrace RAT\r\nProofpoint researchers first observed FlawedGrace in November 2017. It is a full-featured RAT written in C++\r\nthat can receive the following commands from its C\u0026C via a custom binary protocol on TCP port 443:\r\ntarget_remove\r\ntarget_update\r\ntarget_reboot\r\ntarget_module_load\r\ntarget_module_load_external\r\ntarget_module_unload\r\ntarget_download\r\ntarget_upload\r\ntarget_rdp\r\ntarget_passwords\r\ntarget_servers\r\ntarget_script\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 13 of 18\n\ndestroy_os\r\ndesktop_stat\r\nWhile Proofpoint researchers are still investigating the updates to this version of FlawedGrace, some notable\r\nchanges include:\r\nEncrypted strings\r\nObfuscated API calls\r\nConfiguration is now stored as an encrypted resource (initial/default config), then it is stored both in a\r\nmapped memory region (current configuration instance) and in the registry (persistence)\r\nAttribution\r\nProofpoint attributes the campaigns discussed in this blog to TA505 with high confidence. Proofpoint's assessment\r\nthat TA505 is responsible for this renewed activity is based on the aforementioned similarities between historic\r\nTA505 campaigns and this new activity, including, but not limited to, code similarities, domain naming patterns\r\nand the use of FlawedGrace, which has been almost exclusively linked to TA505 activity.\r\nOutlook\r\nTA505 is an established threat actor that is financially motivated and known for conducting malicious email\r\ncampaigns on a previously unprecedented scale. The group regularly changes their TTPs and are considered\r\ntrendsetters in the world of cybercrime. This threat actor does not limit its target set, and is, in fact, an equal\r\nopportunist with the geographies and verticals it chooses to attack. This combined with TA505’s ability to be\r\nflexible, focusing on what is the most lucrative and shifting its TTPs as necessary, make the actor a continued\r\nthreat.\r\nProofpoint researchers expect TA505 to continue to adjust its operations and methods always with an eye to\r\nfinancial gain. Using intermediate loaders in its attack chain is also likely to become a longer-term technique\r\nemployed by the threat actor.\r\nEmergingThreats Detection Rules\r\n2034012 - ET TROJAN MirrorBlast Checkin (trojan.rules)\r\n2034022 - ET TROJAN MirrorBlast CnC Activity M2 (trojan.rules)\r\n2034023 - ET TROJAN MirrorBlast CnC Activity M3 (trojan.rules)\r\n2034091 - ET TROJAN MirrorBlast KiXtart Downloader Client Request (trojan.rules)\r\n2034110 - ET TROJAN MirrorBlast KiXtart Downloader Server Response (trojan.rules)\r\n2034136 - ET TROJAN MirrorBlast KiXtart Downloader Client Request M2 (trojan.rules)\r\n2034042 - ET TROJAN ReflectiveGnome Download Activity (trojan.rules)\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 14 of 18\n\nEmergingThreats PRO Detection Rules\r\n2850099 - ETPRO TROJAN FlawedGrace CnC Activity M2 (trojan.rules)\r\n2850098 - ETPRO TROJAN FlawedGrace CnC Activity M1 (trojan.rules)\r\nIndicators of Compromise\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nhxxp://139.59.93.223/c[.]php URL MirrorBlast C\u0026C\r\nhxxp://menorukis[.]su URL MirrorBlast C\u0026C\r\nhxxp://fidufagios[.]com/ URL MirrorBlast C\u0026C\r\nhxxp://feristoaul[.]com/ URL MirrorBlast C\u0026C\r\nhxxp://172.105.178.119/install[.]msi URL MSI Download\r\nhxxp://207.246.101.153/chrome[.]msi URL MSI Download\r\nhxxp://207.246.101.153/setup[.]msi URL MSI Download\r\ncdn-wfs-nspod[.]com Domain FlawedGrace C\u0026C\r\nhxxps://cdn03664-dl-fileshare[.]com/files/xls/Employee%20Update%20-%20Covid[.]xls\r\nURL Initial Download\r\nhxxps://cdn-8846-sharepoint-office[.]com/CL09302021_00137[.]xls URL Initial Download\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 15 of 18\n\nhxxps://cdn-8846-sharepoint-office[.]com/COVID19_list[.]xls URL Initial Download\r\nhxxps://cdn-8846-sharepoint-office[.]com/FP01102021_001[.]xls URL Initial Download\r\nhxxps://dzikic-my-sharepoint[.]com/file/Manulife_policy[.]xls URL Initial Download\r\nhxxps://dzikics-my-sharepoint[.]com/file/Employee_Authorization_Form[.]xls\r\nURL Initial Download\r\nhxxp://141.164.41[.]231/host64_sh[.]bin URL\r\nMirrorBlast Payload\r\n(FlawedGrace)\r\nhxxp://141.164.41[.]231/host32_pic[.]bin URL\r\nMirrorBlast Payload\r\n(FlawedGrace)\r\nhxxp://89.44.197[.]46/host64_sh[.]bin URL\r\nMirrorBlast Payload\r\n(FlawedGrace)\r\nhxxp://89.44.197[.]46/host32_pic[.]bin URL\r\nMirrorBlast Payload\r\n(FlawedGrace)\r\nhxxp://193.42.36[.]110/host64_sh[.]bin URL\r\nMirrorBlast Payload\r\n(FlawedGrace)\r\nhxxp://193.42.36[.]110/host32_pic[.]bin URL\r\nMirrorBlast Payload\r\n(FlawedGrace)\r\nhxxp://5.149.255[.]14/host64_sh[.]bin URL\r\nMirrorBlast Payload\r\n(FlawedGrace)\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 16 of 18\n\nhxxp://5.149.255[.]14/host32_pic[.]bin URL\r\nMirrorBlast Payload\r\n(FlawedGrace)\r\nhxxp://155.138.205[.]35/?pool URL\r\nFirst Stage Kixtart\r\nScript Payload\r\nhxxp://45.79.239[.]23/version.php?data= URL\r\nFirst Stage Kixtart\r\nScript C\u0026C\r\nhxxp://185.202.93[.]201:80/mlp[.]php URL\r\nFirst Stage Kixtart\r\nScript C\u0026C\r\nhxxp://185.183.96[.]147/?data= URL\r\nFirst Stage Kixtart\r\nScript C\u0026C\r\nhxxp://185.176.220[.]198/?data= URL\r\nFirst Stage Kixtart\r\nScript C\u0026C\r\nhxxp://155.138.205[.]35/ URL Excel MSI Payload\r\nhxxp://95.216.138[.]82/ URL Excel MSI Payload\r\nhxxp://194.180.174[.]6/ URL Excel MSI Payload\r\nhxxp://185.10.68[.]235/ URL Excel MSI Payload\r\nhxxp://185.225.19[.]246/ URL Excel MSI Payload\r\nhxxp://185.225.19[.]156/ URL\r\nKixtart Payload\r\n(MirrorBlast)\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 17 of 18\n\nhxxp://192.36.27[.]92/10opd3r_load[.]msi URL\r\nKixtart Payload\r\n(MirrorBlast)\r\nhxxp://5.188.108[.]40/trehjugdr4et6u[.]msi URL\r\nKixtart Payload\r\n(MirrorBlast)\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nhttps://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant\r\nPage 18 of 18\n\n https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant \nFigure 4. October 13, 2021 landing page abusing Microsoft and OneDrive branding.\nFigure 5. Excel file used in the October 13, 2021 campaign with a simple green lure.\n Page 5 of 18 \n\n https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant \nFigure 9. Example Excel macros code. \nFigure 10. The parameters Subject and Comments are stored in the workbook properties.\nFigure 11. Deobfuscated downloader JScript. This pulls the next stage-an MSI file.\n Page 9 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant" ], "report_names": [ "whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434783, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3b20141827d501a83ec5e11303887bf5ceb32b41.pdf", "text": "https://archive.orkl.eu/3b20141827d501a83ec5e11303887bf5ceb32b41.txt", "img": "https://archive.orkl.eu/3b20141827d501a83ec5e11303887bf5ceb32b41.jpg" } }