{ "id": "63b727ff-790a-486e-821e-8492c54500c3", "created_at": "2026-04-06T00:21:47.591599Z", "updated_at": "2026-04-10T03:36:33.396232Z", "deleted_at": null, "sha1_hash": "5caa3af9facac2e25b868e6afb482d156eacad78", "title": "China-based APT Mustang Panda might still have continued their attack activities against organizations in", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 112713, "plain_text": "China-based APT Mustang Panda might still have continued their\r\nattack activities against organizations in\r\nBy Yến Hứa\r\nPublished: 2022-05-20 · Archived: 2026-04-05 20:36:14 UTC\r\nTable of Contents\r\n1. Executive Summary\r\n2. Analyze the log.dll\r\n3. Shellcode analysis\r\n4. Analyze the extracted Dll\r\n4.1. How PlugX calls an API function\r\n4.2. Create main thread to execute\r\n4.3. Communicating with C2\r\n4.4. Implemented commands\r\n4.5. Decrypt PlugX configuration\r\n5. Conclusion\r\n6. References\r\n7. Indicators of Compromise\r\n1. Executive Summary\r\nAt VinCSS, through continuous cyber security monitoring, hunting malware samples and evaluating them to\r\ndetermine the potential risks, especially malware samples targeting Vietnam. Recently, during hunting on\r\nVirusTotal’s platform and performing scan for specific byte patterns related to the Mustang Panda (PlugX), we\r\ndiscovered a series of malware samples, suspected to be relevant to APT Mustang Panda, that was uploaded from\r\nVietnam.\r\nAll of these samples share the same name as “log.dll” and have a rather low detection rate.\r\nBased on the above information, we infer that there is a possibility that malware has been infected in certain orgs\r\nin Vietnam, so we decided to analyze these malware samples. During analysis, based on the detected indicators,\r\nwe continue to investigate and set the scenario of the attack campaign.\r\nA general overview of the execution flow demonstrated as follow:\r\nOur blog includes:\r\nhttps://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html\r\nPage 1 of 16\n\nTechnical analysis of the log.dll file.\r\nTechnical analysis of shellcode decrypted from log.dat.\r\nAnalyze PlugX Dll as well as decrypt PlugX configuration information.\r\n2. Analyze the log.dll\r\nIn the list of hunted samples above, we choose the one with hash:\r\n3171285c4a846368937968bf53bc48ae5c980fe32b0de10cf0226b9122576f4e\r\nThis sample was submitted to VirusTotal from Vietnam on 2022-04-25 14:04:36 UTC\r\nThe information from the Rich Header suggests that it is likely compiled with Visual Studio 2012/2013:\r\nBy checking the sections information, we can see that it is packed or the code is obfuscated:\r\nSample has the original name ljAt.dll, and it exports two functions LogFree and LogInit:\r\nLoad sample into IDA, analyze the code of the two functions above:\r\nLogFree function:\r\nLooking at this function, it can be seen that its code has been completely obfuscated by Obfuscator-LLVM, using\r\nthe Control Flow Flattening technique:\r\nAfter further analysis, I found that this function has no special task.\r\nLogInit function:\r\nThis function will call the LogInit_0 function:\r\nhttps://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html\r\nPage 2 of 16\n\nSimilar to the above, the code at the LogInit_0 function has also been completely obfuscated, it takes a long time\r\nfor IDA to decompile the code of this function:\r\nThe primary task of the LogInit_0 function is to call the function f_read_content_of_log_dat_file_to_buf for\r\nreading the content of log.dat file and execute the decrypted shellcode:\r\nf_read_content_of_log_dat_file_to_buf’s code is also completely obfuscated:\r\nThe major task of this function as the following:\r\nCall the GetModuleHandleW function to retrieve the handle of kernel32.dll.\r\nCall the GetProcAddress function to get the addresses of the APIs: VirtualAlloc, GetModuleFileNameA,\r\nCreateFileA, ReadFile.\r\nUse the above APIs to retrieve the path to the log.dat file and read the contents of this file into the\r\nallocated memory.\r\nDecode the contents of log.dat into shellcode so that this shellcode is then executed by the call from the\r\nLogInit_0function.\r\n3. Shellcode analysis\r\nBased on the information analyzed above, we know that the log.dll file will read the content from the log.dat file\r\nand decrypt it into shellcode for further execution. Relying on this indicator, we continue to hunt log.dat file on\r\nVirusTotal which restrict the scope of submission source from Vietnam.\r\nThe results are following:\r\nWith the above results, at the time of analysis, we selected the log.dat file\r\n(2de77804e2bd9b843a826f194389c2605cfc17fd2fafde1b8eb2f819fc6c0c84) was submitted to VirusTotal on\r\n2022-04-20 12:33:19 UTC (5 days before the above log.dll file).\r\nDebugging and dump the decrypted shellcode look like this:\r\nhttps://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html\r\nPage 3 of 16\n\nI use two tools, FLOSS and scdbg to get an overview of this shellcode. The results can be seen in the screenshots\r\nbelow:\r\nWith the results obtained above, it can be seen that this shellcode will perform memory allocation and then call the\r\nRtlDecompressBuffer function to decompress the data with the compression format is\r\nCOMPRESSION_FORMAT_LZNT1.\r\nBy using IDA to analyze this shellcode, its main task is to decompress a Dll into memory and call the exported\r\nfunction of this Dll to execute. The function that does this task is named f_load_dll_from_memory:\r\nThe code in this function will first get the base address of kernel32.dll based on the pre-calculated hash value is\r\n0x6A4ABC5B. This hash value has also been mentioned by us in this analysis.\r\nNext it will retrieve the address of GetProcAddress:\r\nhttps://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html\r\nPage 4 of 16\n\nBy using the stackstring technique, the shellcode constructs the names of the APIs and gets the addresses of the\r\nfollowing API functions:\r\nNext, the shellcode performs a memory allocation (compressed_buf) of size 0x2E552, then reads data from offset\r\n0x1592 (on disk) and executes an xor loop with a key is 0x72 to fill data into the compressed_buf. In fact, the\r\nsize of compressed_buf is 0x2E542, but its first 16 bytes are used to store information about signature,\r\nuncompressed_size, compressed_size, so 0x10 is added.\r\nShellcode continues to allocate memory (uncompressed_buf) of size 0x4C000 and calls the\r\nRtlDecompressBuffer function to decompress the data at the compressed_buf into uncompressed_buf with the\r\ncompression format is COMPRESSION_FORMAT_LZNT1.\r\nBased on the above analysis results, it is easy to get the extracted Dll file (however, the file header information\r\nwas destroyed):\r\nFix the header information and check with PE-bear, this Dll has the original name is RFPmzNfQQFPXX and\r\nonly exports one function named Main:\r\nBack to the shellcode, after decompressing the Dll into memory, it will perform the task of a loader to map this Dll\r\ninto a new memory region. Then, call to the exported function (here is the Main function) to perform the the main\r\ntask of malware:\r\nNote: At the time of analyzing this shellcode, we have not yet confirmed it is a variant of the PlugX malware, but\r\nonly raised doubts about the relationship. It was only when we analyzed the above extracted Dll, then we\r\nconfirmed for sure that this was a variant of PlugX and renamed the fields in the struct for understandable\r\nreasons as screenshot above.\r\nWe will not go into detailed analysis of this Dll, but only provide the necessary information to prove that this is a\r\nPlugX variant as well as the process of decrypting the configuration information that the malware will be used.\r\n4.1. How PlugX calls an API function\r\nIn this variant, information about API functions is stored in xmmword, then loaded into the xmm0 (128-bit)\r\nregister, the missing part of the function name will be loaded through the stack. The malicious code gets the\r\nhttps://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html\r\nPage 5 of 16\n\nhandle of the Dll corresponding to these API functions, then uses GetProcAddress function to retrieve the address\r\nof the specified API function to use later:\r\n4.2. Create main thread to execute\r\nThe malware adjusts the SeDebugPrivilege and SeTcbPrivilege tokens of its own process in order to gain full\r\naccess to system processes. Then it creates its main thread, which is named “bootProc”:\r\n4.3. Communicating with C2\r\nThe malware can communicate with C2 via TCP, HTTP or UDP protocols:\r\nhttps://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html\r\nPage 6 of 16\n\n4.4. Implemented commands\r\nThe malware will receive commands from the attacker to execute the corresponding functions related to Disk,\r\nNetwork, Process, Registry, etc.\r\nThe entire list of commands as shown in the table below that the attacker can execute through this malware\r\nsample:\r\nCommand\r\nGroup\r\nSub-command\r\nDescription\r\nDisk 0x3000 Get information about the drives (type, free space)\r\nhttps://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html\r\nPage 7 of 16\n\n0x3001 Find file\r\n0x3002 Find file recursively\r\n0x3004 Read data from the specified file\r\n0x3007 Write data to the specified file\r\n0x300A Create a new directory\r\n0x300C Create a new process on hidden desktop\r\n0x300D File action (file copy/rename/delete/move)\r\n0x300E Expand environment-variable strings\r\nNethood 0xA000 Enumeration of network resources\r\nNetstat\r\n0xD000 Retrieve a table that contains a list of TCP endpoints\r\n0xD001 Retrieve a table that contains a list of UDP endpoints\r\n0xD002 Set the state of a TCP connection\r\nOption\r\n0x2000 Lock the workstation’s display\r\n0x2001 Force shut down the system\r\n0x2002 Restart the system\r\n0x2003 Shut down the system safety\r\n0x2005 Display massage box\r\nPortMap 0xB000 Perform port mapping\r\nProcess\r\n0x5000 Retrieve processes info\r\n0x5001 Retrieve modules info\r\n0x5002 Terminate specified process\r\nRegEdit 0x9000 Enumerate registry\r\n0x9001 Create registry\r\n0x9002 Delete registry\r\n0x9003 Copy registry\r\n0x9004 Enumerates the values of the specified open registry key\r\n0x9005 Sets the data and type of a specified value under a registry key\r\nhttps://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html\r\nPage 8 of 16\n\n0x9006 Deletes a named value from the specified registry key\r\n0x9007 Retrieves a registry value\r\nService\r\n0x6000 Retrieves the configuration parameters of the specified service\r\n0x6001 Changes the configuration parameters of a service\r\n0x6002 Starts a service\r\n0x6003 Sends a control code to a service\r\n0x6004 Delete service\r\nShell 0x7002 Create pipe and execute command line\r\nSQL\r\n0xC000 Get SQL data sources\r\n0xC001 Lists SQL drivers\r\n0xC002 Executes SQL statement\r\nTelnet 0x7100 Start telnet server\r\nScreen\r\n0x4000 simulate working over the RDP Protocol\r\n0x4100 Take screenshot\r\nKeyLog 0xE000\r\nPerform key logger function, log keystrokes to file\r\n“%allusersprofile%MSDN6.0USER.DAT“\r\n4.5. Decrypt PlugX configuration\r\nAs analyzed above, the malware will connect to the C2 address via HTTP, TCP or UDP protocols depending on\r\nthe specified configuration. So where is this config stored? With the old malware samples that we have analyzed\r\n(1, 2, 3, 4), the PlugX configuration is usually stored in the .data section with the size of 0x724 (1828) bytes.\r\nhttps://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html\r\nPage 9 of 16\n\nGoing back to the sample we are analyzing, we see that before the step of checking the parameters passed when\r\nthe malware executes, it will call the function that performs the task of decrypting the configuration:\r\nhttps://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html\r\nPage 10 of 16\n\nDiving into this function, combined with additional debugging from shellcode, renaming the fields in the\r\ngenerated struct, we get the following information:\r\nPlugX’s configuration is embedded in shellcode and starts at offset 0x69.\r\nThe size of the configuration is 0x0150C (5388) bytes.\r\nDecryption key is 0xB4.\r\nhttps://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html\r\nPage 11 of 16\n\nWith all the complete information as above, it is possible to recover the configuration information easily:\r\nIP Port\r\n86.78.23.152 53\r\n86.78.23.152 22\r\n86.78.23.152 8080\r\n86.78.23.152 23\r\nIn addition to the list of C2 addresses above, there is additional information related to the directory created on the\r\nvictim machine to contain malware files as well as the name of the service that can be created:\r\nhttps://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html\r\nPage 12 of 16\n\nTo make our life easier, I wrote a python script to automatically extract configuration information for this variant.\r\nThe output after running the script is as follows:\r\n5. Conclusion\r\nCrowdStrike researchers first published information on Mustang Panda in June 2018, after approximately one year\r\nof observing malicious activities that shared unique Tactics, Techniques, and Procedures (TTPs). However,\r\naccording to research and collect from many different cybersecurity companies, this group of APTs has existed for\r\nmore than a decade with different variants found around the world. Mustang Panda, believed to be a APT group\r\nbased in China, is evaluated as one of the highly detrimental APT groups, applying sophisticated techniques to\r\ninfect malware, aiming to gain as much long-term access as possible to conduct espionage and information theft.\r\nIn this blog we have analyzed the different steps the infamous PlugX RAT follows to start execution and avoid\r\ndetection. Thereby, it can be seen that this APT group is still active and constantly looking for ways to improve\r\ntheir techniques. VinCSS will continue to search for additional samples and variants that may be associated with\r\nthis PlugX variant that we analyzed in this article.\r\n6. References\r\n[RE012-1]Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướngNguyễn\r\nXuân Phúc” – Phần 1\r\n[RE012-2]Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướngNguyễn\r\nXuân Phúc” – Phần 2\r\nPlugX: A Talisman to Behold\r\nTHOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks\r\nbyPKPLUG Group\r\nMustang Panda deploys a new wave of malware targeting Europe\r\nBRONZE PRESIDENT Targets Russian Speakers with Updated PlugX\r\nChina-Based APT Mustang Panda Targets Minority Groups, Public and Private SectorOrganizations\r\nhttps://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html\r\nPage 13 of 16\n\n7. Indicators of Compromise\r\nlog.dll – db0c90da56ad338fa48c720d001f8ed240d545b032b2c2135b87eb9a56b07721\r\nlog.dll – 84893f36dac3bba6bf09ea04da5d7b9608b892f76a7c25143deebe50ecbbdc5d\r\nlog.dll – 3171285c4a846368937968bf53bc48ae5c980fe32b0de10cf0226b9122576f4e\r\nlog.dll – da28eb4f4a66c2561ce1b9e827cb7c0e4b10afe0ee3efd82e3cc2110178c9b7a\r\nlog.dat – 2de77804e2bd9b843a826f194389c2605cfc17fd2fafde1b8eb2f819fc6c0c84Decrypted config:\r\n[+] Folder name: %ProgramFiles%BitDefender Update\r\n[+] Service name: BitDefender Crash Handler\r\n[+] Proto info: HTTP://\r\n[+] C2 servers:\r\n86.78.23.152:53\r\n86.78.23.152:22\r\n86.78.23.152:8080\r\n86.78.23.152:23\r\n[+] Campaign ID: 1234\r\nlog.dat – 0e9e270244371a51fbb0991ee246ef34775787132822d85da0c99f10b17539c0Decrypted config:\r\n[+] Folder name: %ProgramFiles%BitDefender Update\r\n[+] Service name: BitDefender Crash Handler\r\n[+] Proto info: HTTP://\r\n[+] C2 servers:\r\n86.79.75.55:80\r\n86.79.75.55:53\r\n86.79.75.46:80\r\n86.79.75.46:53\r\n[+] Campaign ID: 1234\r\nhttps://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html\r\nPage 14 of 16\n\nlog.dat – 3268dc1cd5c629209df16b120e22f601a7642a85628b82c4715fe2b9fbc19eb0Decrypted config:\r\n[+] Folder name: %ProgramFiles%Common FilesARO 2012\r\n[+] Service name: BitDefender Crash Handler\r\n[+] Proto info: HTTP://\r\n[+] C2 servers:\r\n86.78.23.152:23\r\n86.78.23.152:22\r\n86.78.23.152:8080\r\n86.78.23.152:53\r\n[+] Campaign ID: 1234\r\nlog.dat – 02a9b3beaa34a75a4e2788e0f7038aaf2b9c633a6bdbfe771882b4b7330fa0c5 (THOR\r\nPlugX)Decrypted config:\r\n[+] Folder name: %ProgramFiles%BitDefender Handler\r\n[+] Service name: BitDefender Update Handler\r\n[+] Proto info: HTTP://\r\n[+] C2 servers:\r\nwww.locvnpt.com:443\r\nwww.locvnpt.com:8080\r\nwww.locvnpt.com:80\r\nwww.locvnpt.com:53\r\n[+] Campaign ID: 1234\r\nClick here for Vietnamese version.\r\nDang Dinh Phuong – Threat Hunter\r\nTran Trung Kien (aka m4n0w4r) – Malware Analysis Expert\r\nR\u0026D Center – VinCSS (a member of Vingroup)\r\nhttps://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html\r\nPage 15 of 16\n\nSource: https://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organi\r\nzations-in-Vietnam.html\r\nhttps://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html" ], "report_names": [ "re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434907, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5caa3af9facac2e25b868e6afb482d156eacad78.pdf", "text": "https://archive.orkl.eu/5caa3af9facac2e25b868e6afb482d156eacad78.txt", "img": "https://archive.orkl.eu/5caa3af9facac2e25b868e6afb482d156eacad78.jpg" } }