{
	"id": "939a7459-3c69-4982-93d8-e264c432ef82",
	"created_at": "2026-04-06T01:31:21.160558Z",
	"updated_at": "2026-04-10T03:21:16.889702Z",
	"deleted_at": null,
	"sha1_hash": "721a76bc16d0da638e1d3367c0339db2e2cdb961",
	"title": "A technical analysis of Pegasus for Android – Part 1 – CYBER GEEKS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8641151,
	"plain_text": "A technical analysis of Pegasus for Android – Part 1 – CYBER\r\nGEEKS\r\nPublished: 2022-08-29 · Archived: 2026-04-06 00:29:03 UTC\r\nSummary\r\nPegasus is a spyware developed by the NSO group that was repeatedly analyzed by Amnesty International and\r\nCitizenLab. In this article, we dissect the Android version that was initially analyzed by Lookout in this paper, and\r\nwe recommend reading it along with this post. During our research about Pegasus for Android, we’ve found out\r\nthat vendors wrongly attributed some undocumented APK files to Pegasus, as highlighted by a researcher here.\r\nWe’ve splitted the analysis into 3 parts because of the code’s complexity and length. We’ve also tried to keep the\r\nsections name proposed by Lookout whenever it was possible so that anybody could follow the two approaches\r\nmore easily. In this part, we’re presenting the initialization of the application (including its configuration), the\r\ntargeted applications, the commands related to the core functionality, and the methods that Pegasus could use to\r\nremove itself from a device. Our contributions consist of dissecting the application deeper than before and\r\nexplaining additional functionalities that were identified.\r\nTechnical analysis\r\nSHA256: ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5\r\nWe’ve performed the analysis using JD-GUI Java Decompiler and Android Studio.\r\nInitial Launch and Configuration\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 1 of 49\n\nThe application must obtain an initial configuration from an URL found in the Browser history or from a file\r\ncalled “/data/myappinfo” or “/system/ttg”. As we’ll see during the entire analysis, the malware is pretty noisy and\r\nlogs messages using the Log.i method. Interestingly, the author mentions the JigglyPuff character from Pokemon\r\nin the logging function:\r\nFigure 1\r\nFigure 2\r\nFirstly, the application tries to parse a config file called “/data/myappinfo” or “/system/ttg” if the first one doesn’t\r\nexist:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 2 of 49\n\nFigure 3\r\nFigure 4\r\nThe malware deletes a file called “/data/cksnb.dat” using a binary called “/system/csk”. According to Lookout,\r\nthis file is present on devices that were previously rooted. The purpose of this binary is to run a command passed\r\nas a parameter (such as “rm”) with root privileges:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 3 of 49\n\nFigure 5\r\nWhether the process finds one of the configuration files mentioned above, it reads an URL that will be deleted\r\nfrom the Browser history. Some of the settings are Base64-encoded and will be decoded using an implementation\r\nof the Base64 algorithm:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 4 of 49\n\nFigure 6\r\nThe application reads a token and an “installation” value from the configuration file:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 5 of 49\n\nFigure 7\r\nFurthermore, the process reads a configuration value called “local” and another one called “userNetwork”, which\r\nrepresents the mobile country code of the victim’s phone:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 6 of 49\n\nFigure 8\r\nThe malware reads a configuration value that specifies whether it should communicate with the C2 server while\r\nthe phone is roaming. The configuration file also contains commands to be executed by Pegasus:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 7 of 49\n\nFigure 9\r\nThe version of the installed agent (“packageVersion”) and a value called “vulnarbilityIndicator” are also read from\r\nthe configuration file. The last value is set when requesting an update package, and it would create an mp3 file\r\nthat exploits the Media Player on the phone, according to our analysis:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 8 of 49\n\nFigure 10\r\nThe agent copies a file called “/data/cksnb.dat” to “/data/data/com.network.android/output.mp3”. As also\r\nhighlighted below, the mp3 file would exploit a “vulnarbility” [sic] in Media Player:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 9 of 49\n\nFigure 11\r\nFigure 12\r\nA config value called “url address” will be removed from the browser history. The application extracts a table\r\ncontaining both bookmarks and history items from Browser.BOOKMARKS_URI:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 10 of 49\n\nFigure 13\r\nAs we mentioned before, the application could retrieve the configuration from an URL containing “rU8IPXbn”\r\nfound in the Browser history, as highlighted in figure 14.\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 11 of 49\n\nFigure 14\r\nThe agent parses the target URL and extracts a token (“t=” parameter), a Base64-encoded command and signature\r\n(“\u0026c”), the “installation” value (“\u0026b”), the “userNetwork” configuration option (“\u0026d”), and the\r\n“windowYuliyus” value (“\u0026r”):\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 12 of 49\n\nFigure 15\r\nThe malware expects a valid token and a valid target URL; otherwise, it calls the Log.e method with the\r\n“getSettingsFromBH no valid settings on getSettingsFromHistory” message:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 13 of 49\n\nFigure 16\r\nThe agent calls a function that validates the MCC (mobile country code) extracted from the configuration:\r\nFigure 17\r\nThe getSubscriberId function is utilized to extract the unique subscriber ID. The first 3 digits represent the mobile\r\ncountry code (MCC), which is compared with the value extracted from the configuration:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 14 of 49\n\nFigure 18\r\nThe application verifies whether the “did_we_restart_after_upgrade_already” value, which indicates that the\r\ndevice was rebooted after the installation of Pegasus, is true or false. In the case of no reboot, the application\r\nrestarts the phone using the “reboot” command:\r\nFigure 19\r\nFigure 20 reveals how the “/system/csk” binary is used to run commands with root privileges:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 15 of 49\n\nFigure 20\r\nThe agent uses a regex to parse the target URL and to extract the IP address and the token, as highlighted below:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 16 of 49\n\nFigure 21\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 17 of 49\n\nFigure 22\r\nThe process calls a function that deletes the target URL from the Browser history based on the IP address\r\nextracted above:\r\nFigure 23\r\nThe malware starts logging some messages before performing the deletion operation:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 18 of 49\n\nFigure 24\r\nThe application retrieves the bookmarks and history items from “Browser.BOOKMARKS_URI” and\r\n“Browser.HISTORY_PROJECTION”:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 19 of 49\n\nFigure 25\r\nThe URL containing “rU8IPXbn” is deleted from the Browser history by calling the Browser.deleteFromHistory\r\nfunction:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 20 of 49\n\nFigure 26\r\nFigure 27\r\nThe configuration data is saved in a preference file called “NetworkPreferences” that can be accessed using the\r\nAndroid SharedPreferences APIs.\r\nTargeted Applications\r\n1. Facebook\r\nThe database files storing the Facebook messages are made accessible to everyone by running the following\r\ncommands:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 21 of 49\n\nchmod 0777 /data/data/com.facebook.katana\r\nchmod 0777 /data/data/com.facebook.katana/databases\r\nchmod 0777 /data/data/com.facebook.katana/databases/threads_db2\r\nchmod 0777 /data/data/com.facebook.katana/databases/threads_db2-journal\r\nThe following SQL query is executed:\r\nSELECT messages.msg_id, messages.thread_id, messages.timestamp_ms, messages.text, messages.sender,\r\nthreads.participants from messages INNER JOIN threads ON messages.thread_id=threads.thread_id\r\nFigure 28\r\n2. Kakao\r\nThe database files storing the KakaoTalk chat logs are made accessible to everyone by running the following\r\ncommands:\r\nchmod 0777 /data/data/com.kakao.talk\r\nchmod 0777 /data/data/com.kakao.talk/databases\r\nchmod 0777 /data/data/com.kakao.talk/databases/KakaoTalk.db\r\nchmod 0777 /data/data/com.kakao.talk/databases/KakaoTalk.db-journal\r\nThe following SQL query is executed:\r\nSELECT chat_logs.id, chat_logs.chat_id, chat_logs.created_at, chat_logs.message, chat_logs.user_id,\r\nchat_logs.type, c.members FROM chat_logs JOIN chat_rooms c ON chat_logs.chat_id=c.id\r\nFigure 29\r\n3. Skype\r\nThe database files storing the Skype chat messages are made accessible to everyone by running the following\r\ncommands:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 22 of 49\n\nchmod 0777 /data/data/com.skype.raider/files/\u003cDirectories\u003e\r\nchmod 0777 /data/data/com.skype.raider/files/main.db\r\nchmod 0777 /data/data/com.skype.raider/files/main.db-journal\r\nThe following SQL query is executed:\r\nSELECT Messages.id as msg_id, messages.convo_id, from_dispname, messages.author,\r\nmessages.timestamp, messages.body_xml, conversations.displayname, Messages.dialog_partner FROM\r\nMessages LEFT JOIN Conversations ON messages.convo_id = conversations.id\r\nFigure 30\r\n4. Twitter\r\nThe database files storing the Twitter messages are made accessible to everyone by running the following\r\ncommands:\r\nchmod 0777 /data/data/com.twitter.android\r\nchmod 0777 /data/data/com.twitter.android/databases/*.db\r\nThe following SQL query is executed:\r\nSELECT messages._id, messages.type, messages.msg_id, messages.content, messages.created,\r\nmessages.sender_id, messages.recipient_id, messages.thread, s.name, s.username, r.name, r.username\r\nFROM messages JOIN users s ON messages.sender_id = s.user_id JOIN users r ON messages.recipient_id\r\n= r.user_id\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 23 of 49\n\nFigure 31\r\n5. Viber\r\nThe database files storing the Viber messages are made accessible to everyone by running the following\r\ncommands:\r\nchmod 0777 /data/data/com.viber.voip/\r\nchmod 0777 /data/data/com.viber.voip/databases/viber_messages\r\nchmod 0777 /data/data/com.viber.voip/databases/viber_messages-journal\r\nThe agent executes the SQL query displayed in the figure below.\r\nFigure 32\r\n6. WhatsApp\r\nThe database files storing the WhatsApp messages are made accessible to everyone by running the following\r\ncommands:\r\nchmod 0777 /data/data/com.whatsapp\r\nchmod 0777 /data/data/com.whatsapp/databases\r\nchmod 0777 /data/data/com.whatsapp/shared_prefs\r\nchmod 0777 /data/data/com.whatsapp/shared_prefs/com.whatsapp_preferences.xml\r\nchmod 0777 /data/data/com.whatsapp/databases/msgstore.db\r\nchmod 0777 /data/data/com.whatsapp/databases/wa.db\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 24 of 49\n\nThe following SQL queries are executed:\r\nselect * from messages\r\nselect timestamp from messages order by _id desc limit 1\r\nFigure 33\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 25 of 49\n\nFigure 34\r\n7. Gmail\r\nThe following SQL queries are executed (“/data/data/com.google.android.gm/databases/EmailProvider.db”\r\ndatabase):\r\nselect * from messages\r\nselect * from Message\r\nselect _id from messages order by _id desc limit 1\r\nselect _id from Message order by _id desc limit 1\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 26 of 49\n\nFigure 35\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 27 of 49\n\nFigure 36\r\n8. Android Native Email\r\nThe database file storing the Android Native emails and attachments is made accessible to everyone by running\r\nthe following commands:\r\nchmod 0777 /data/data/com.android.email\r\nchmod 0777 /data/data/com.android.email/databases/EmailProvider.db\r\nThe following SQL queries are executed:\r\nselect * from Message where _id = \u003cId\u003e\r\nselect * from Attachment where _id = \u003cId\u003e\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 28 of 49\n\nFigure 37\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 29 of 49\n\nFigure 38\r\n9. Android Native Browser\r\nThe database file storing the user name and password entered in the WebView is made accessible to everyone by\r\nrunning the following commands:\r\nchmod 0777 /data/data/com.android.browser\r\nchmod 0777 /data/data/com.android.browser/databases\r\nchmod 0777 /data/data/com.android.browser/databases/webview.db\r\nThe following SQL query is executed:\r\nselect * from password\r\nThe agent also extracts the bookmarks and history items from Browser.BOOKMARKS_URI and\r\nBrowser.HISTORY_PROJECTION.\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 30 of 49\n\nFigure 39\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 31 of 49\n\nFigure 40\r\nFigure 41\r\n10. Default Calendar\r\nThe agent extracts the Android version string from the “Build.VERSION.RELEASE” property:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 32 of 49\n\nFigure 42\r\nDepending on the Android version, the calendar’s events can be found at “content://com.android.calendar/events”\r\nor “content://calendar/events”, as shown in figure 43:\r\nFigure 43\r\nThe application extracts the events title, summary, description, and other properties (see figure 44). The calendar\r\nentries are added to an XmlSerializer object that has multiple attributes:\r\nFigure 44\r\nSuicide Functionality\r\n1st method\r\nThe agent will kill itself if it finds a file called “/sdcard/MemosForNotes” on the device:\r\nFigure 45\r\nThe malware starts the removal operation by logging the “removeAppalication start” message, as shown in the\r\nfigure below:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 33 of 49\n\nFigure 46\r\nThe application removes all files that are located in the “/data/local/tmp/ktmu” directory:\r\nFigure 47\r\nThe SharedPreferences.Editor.clear function is utilized to remove the following preference files containing\r\nconfiguration data: “NetworkPreferences”, “NetworkWindowAddresess”, and “NetworkDataList” (see figure 48).\r\nFigure 48\r\nThe following commands are run by the malware:\r\nexport LD_LIBRARY_PATH=/vendor/lib:/system/lib – set the LD_LIBRARY_PATH environment\r\nvariable\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 34 of 49\n\nmount -o remount,rw /dev/null /system – remount the system directory\r\nforce-stop com.network.android – stop the malicious application\r\ndisable com.network.android – disable the malicious application\r\nrm /system/app/com.media.sync.apk – remove this file\r\npm uninstall com.network.android – uninstall the malicious application\r\nrm /system/ttg – remove the configuration file\r\nchmod 0777 /system/csk; rm /system/csk – delete the binary used to run commands with root privileges\r\n(“superuser binary”)\r\nFigure 49\r\n2nd method\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 35 of 49\n\nThe malware will also remove itself if it didn’t communicate with the C2 server in the last 60 days:\r\nFigure 50\r\n3rd method\r\nThe suicide functionality is also used when no subscriber ID is identified (see figure 18).\r\n4th method\r\nThe Pegasus’ C2 server can issue a command to the agent in order to remove itself.\r\nPegasus implements 4 main commands that can be executed: dumpCmd, upgradeCmd, camCmd, and\r\nemailAttCmd (figure 51).\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 36 of 49\n\nFigure 51\r\ndumpCmd command\r\nThe agent can activate/deactivate some actions depending on the dumpSms, dumpWhatsApp, dumpEmails,\r\ndumpContacts, dumpCalander [sic], dumpCall boolean values:\r\nFigure 52\r\nThe agent extracts the SMS messages sent and received from “content://sms/sent” and “content://sms/inbox”.\r\nEvery SMS is stored in a new XmlSerializer object, as highlighted below:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 37 of 49\n\nFigure 53\r\nFigure 54\r\nThe malware extracts the Phone call logs from “CallLog.Calls.CONTENT_URI”. Each log is stored in a new\r\nXmlSerializer object that contains attributes such as “recordId”, “timestamp”, “type”, “number”, “duration”,\r\n“isStart”, and “direction”:\r\nFigure 55\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 38 of 49\n\nFigure 56\r\nThe application retrieves the phone contacts from the “ContactsContract.Contacts.CONTENT_VCARD_URI”\r\nentry. Every contact is stored in an XmlSerializer object:\r\nFigure 57\r\nFigure 58\r\nFigure 59\r\nThe agent obtains a list of application processes running on the device via a call to getRunningAppProcesses:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 39 of 49\n\nFigure 60\r\nThis command is also responsible for retrieving the information already described in the “Targeted applications”\r\nsection.\r\nupgradeCmd command\r\nThe process creates a file called “/data/data/com.network.android/upgrade/uglmt.dat” that will store the upgraded\r\napplication that is downloaded from the C2 server. It computes the MD5 hash of the file and then compares the\r\nresult with a value that comes with the package:\r\nFigure 61\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 40 of 49\n\nFigure 62\r\nThe agent loads uglmt.dat as a dex file using DexClassLoader and then calls the\r\n“com.media.provapp.DrivenObjClass.perfU” method with the\r\n“/data/data/com.network.android/upgrade/intro.mp3” argument:\r\nFigure 63\r\nFigure 64\r\nAfter successfully upgrading the agent, the following files are deleted by calling the File.delete function:\r\n/data/data/com.network.android/upgrade/uglmt.dat\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 41 of 49\n\n/data/data/com.network.android/upgrade/cuvmnr.dat\r\n/data/data/com.network.android/upgrade/zero.mp3\r\n/data/data/com.network.android/upgrade/*com.media.sync*\r\nFigure 65\r\ncamCmd command\r\nFirstly, the process relies on a binary that should exist on Android called “/system/bin/screencap” in order to take a\r\nscreenshot of the screen. The result is saved as a PNG image at “/data/data/com.network.android/bqul4.dat”:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 42 of 49\n\nFigure 66\r\nSecondly, if the above binary doesn’t exist then the malware will use a resource (found in res/raw/ folder) called\r\n“take_screen_shot” that will handle the operation. The result is stored at\r\n“/data/data/com.network.android/tss64.dat”:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 43 of 49\n\nFigure 67\r\nIn any case, the screenshots’ information will be stored in an XmlSerializer object described below:\r\nFigure 68\r\nAs we can see in the assembly code of take_screen_shot, the binary captures the Android screen content by\r\nreading the “/dev/graphics/fb0” framebuffer that is processed and stored as a PNG image:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 44 of 49\n\nFigure 69\r\nFigure 70\r\nThe captured PNG images are compressed to JPG and saved as “ScreenShot-res\u003cInteger\u003e-\u003cCurrent Time in\r\nseconds\u003e.jpg”:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 45 of 49\n\nFigure 71\r\nThe process can take photos with the front/back camera. It calls the getParameters function in order to obtain the\r\ncurrent settings for the Camera service and then calls getPreviewFormat:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 46 of 49\n\nFigure 72\r\nDepending on the front/back camera, the taken photo is saved as “Front-res\u003cInteger\u003e-\u003cCurrent Time in\r\nseconds\u003e.jpg” or “Back-res\u003cInteger\u003e-\u003cCurrent Time in seconds\u003e.jpg”\r\nFigure 73\r\nemailAttCmd command\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 47 of 49\n\nThe application creates a database containing a table called “NetworkData” that stores the email attachments’\r\nname and path, as displayed in figure 74.\r\nFigure 74\r\nThe command’s purpose is to extract a specific email attachment mentioned by the C2 server:\r\nFigure 75\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 48 of 49\n\nFigure 76\r\nWe were surprised to find out that during the initialization routine, the threat actor mentioned the “Pegasus” string\r\nin a log message:\r\nFigure 77\r\nSource: https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1\r\nPage 49 of 49",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1"
	],
	"report_names": [
		"a-technical-analysis-of-pegasus-for-android-part-1"
	],
	"threat_actors": [],
	"ts_created_at": 1775439081,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/721a76bc16d0da638e1d3367c0339db2e2cdb961.pdf",
		"text": "https://archive.orkl.eu/721a76bc16d0da638e1d3367c0339db2e2cdb961.txt",
		"img": "https://archive.orkl.eu/721a76bc16d0da638e1d3367c0339db2e2cdb961.jpg"
	}
}