{ "id": "9a35b3ff-a2b1-45b7-a559-77147a229bc9", "created_at": "2026-04-06T00:17:03.305268Z", "updated_at": "2026-04-10T03:37:08.872415Z", "deleted_at": null, "sha1_hash": "bef40e70d5e5fb8384d13acb9cd2d3e36e5bc354", "title": "DanaBot Malware: New Year, New Version | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1522966, "plain_text": "DanaBot Malware: New Year, New Version | Proofpoint US\r\nBy January 26, 2021 Dennis Schwarz, Axel F., and Brandon Murphy\r\nPublished: 2021-01-26 · Archived: 2026-04-05 21:09:31 UTC\r\nProofpoint researchers discovered an updated version of DanaBot in the wild. DanaBot is a banking/stealer malware\r\nfirst discovered by Proofpoint in May 2018. There have been at least three significant versions of the malware: \r\nVersion 1: DanaBot - A new banking Trojan surfaces Down Under \r\nVersion 2: DanaBot Gains Popularity and Targets US Organizations in Large Campaigns \r\nVersion 3: ESET’s DanaBot updated with new C\u0026C communication \r\nThis will be the fourth major update. \r\nFrom May 2018 to June 2020, DanaBot was a fixture in the crimeware threat landscape. Proofpoint researchers\r\nobserved multiple threat actors with at least 12 affiliate IDs in version 2 and 38 IDs in version 3. These\r\naffiliate identifications (IDs) represent the threat actors the DanaBot operators serve. Distribution has typically\r\ntargeted financial institutions predominantly located in the United States, Canada, Germany, United Kingdom, Australia,\r\nItaly, Poland, Mexico, and Ukraine. After June 2020, there was a sharp decline in DanaBot activity in Proofpoint’s data and\r\nin public threat intel repositories (e.g. MalwareBazaar and #DanaBot). It disappeared from the threat landscape without a\r\nclear cause. \r\nStarting in late October 2020, we observed a significant update to DanaBot samples appearing in  VirusTotal. At the time of\r\npublication, Proofpoint researchers spotted two affiliate IDs using this latest version with at least one distribution\r\nmethod. While it has not returned to its former scale, DanaBot is  malware that defenders should put back on their radar. \r\nMalware Analysis \r\nThe sample with a SHA-256 hash of c0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d was used\r\nfor this analysis. \r\nLike previous versions of DanaBot, version 4 is a large, multithreaded, modular malware written in the Delphi programming\r\nlanguage. A loader component (EXE) decrypts, decompresses, and executes a secondary component (DLL) seen\r\nin Figure 1: \r\n \r\nFigure 1: Malware execution \r\nThe secondary component removes the loader and reruns itself using a specially crafted export name highlighted above in\r\nred in Figure 1. The export name is base64 decoded and the first three bytes are subtracted from each\r\nother (i.e., running_mode = byte_0 – byte_1 – byte_2). This value determines the running mode of the secondary\r\ncomponent, with four options available: \r\nRunning Mode  Description \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot\r\nPage 1 of 13\n\n0  Main component \r\n1  TOR component \r\n2  Used for process injection of downloaded files \r\n3  Module component \r\nThis analysis will mostly focus on mode 0, the main component. \r\nAnti-Analysis \r\nBesides being written in Delphi there are a few other anti-analysis features in the malware: \r\nSome strings are constructed one character at a time  (Figure 2) \r\nSome Windows API functions are resolved at run-time \r\nWhen a malware-related file is read or written to the filesystem, it is done in the middle of benign decoy file reads\r\nor writes \r\nPersistence is maintained by creating an LNK file that executes the main component in the user’s Startup directory.\r\nThis file is only written once a WM_QUERYENDSESSION Windows event is received when the user logs off \r\n \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot\r\nPage 2 of 13\n\nFigure 2: String obfuscation example, where strings are constructed one character at a time \r\nConfiguration \r\nDanaBot’s configuration is hardcoded into a 356-byte structure (Figure 3): \r\n \r\nFigure 3: Configuration structure of DanaBot \r\n Key configuration items are highlighted in red in Figure 3 and include the following: \r\nAffiliate ID \r\nAs previously reported in DanaBot control panel revealed, we believe DanaBot is set up as a “malware as a service” in\r\nwhich one threat actor controls a global command and control (C\u0026C) panel and infrastructure then sells access to other\r\nthreat actors known as affiliates.  \r\nThis field likely represents the ID of the affiliate associated with the sample. At the time of publication, only two IDs were\r\nfound: 3 and 21. It is currently unclear whether version 4 affiliate IDs will overlap with previous version affiliate IDs,\r\nthough they did change between versions 2 and 3. \r\nEmbedded Hash \r\nIt is currently unclear what the following embedded hash values represent: \r\nE1D3580C52F82AF2B3596E20FB85D9F4 \r\nDE420A65BFC5F29167A85A5199065A0E \r\nE0ECDBB46B59DFAB6F7CB1136E7496F5 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot\r\nPage 3 of 13\n\n429B39BF421C0F74463EF2A17209ADAA \r\n6266E79288DFE2AE2C2DB47563C7F93A \r\nDE6DF8FA2198DD77CFD93D89D8ECC62D \r\nVersion \r\nThis field below likely represents a version number that increments in newer samples:  \r\n1650 \r\n1701 \r\n1705 \r\n1732 \r\n1755 \r\nC\u0026C IP Addresses and Ports \r\nThe IP addresses are hardcoded as DWORD values and are set to the following in the analyzed sample: \r\n23[.]226.132.92 \r\n23[.]106.123.249 \r\n108[.]62.141.152 \r\n104[.]144.64.163 \r\nVersion 3 of DanaBot mixed in decoy C\u0026C addresses, but it does not appear version 4 is making use of them. \r\nTOR \r\nDanaBot has functionality to switch to TOR-based C\u0026C. The analyzed sample contains the following hardcoded\r\nonion hostname: \r\n5jjsgjephjcua63go2o5donzw5x4hiwn6wh2dennmyq65pbhk6qflzyd\\.onion \r\nCommand and Control \r\nThe C\u0026C protocol in version 4 is similar to version 3. An example request is shown in Figure 4: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot\r\nPage 4 of 13\n\nFigure 4: Example C\u0026C request  \r\nIt is still a binary protocol using mostly TCP port 443. Requests and responses have a plaintext header (highlighted in blue\r\nin Figure 4) followed by command data (highlighted in purple). The header is 28-bytes and has the following fields: \r\nOffset  Size  Name  Notes \r\n0x00  8-bytes  Data length \r\n0x08  4-bytes  Data compression/encryption mode  Four modes, described below \r\n0x0c  8-bytes  Random value \r\n0x14  8-bytes  Checksum  Value = data length + random value \r\nThe command data structure is: \r\nAES-encrypted data \r\nPadding length (4-bytes) \r\nRSA-encrypted session key \r\nRSA Signature (in responses) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot\r\nPage 5 of 13\n\nDepending on the command, data can be compressed using zlib (mode 1), ZIP (mode 2), or not compressed (modes 0 and\r\n3).  \r\nData is encrypted with AES-256 in CBC mode using a generated session key. In modes 0, 1, and 2, the session key is\r\nrandomly generated and encrypted with RSA. For requests to the C\u0026C server, an embedded public RSA key is used. For\r\nresponses from the C\u0026C server, a generated RSA key is used (see below). For mode 3, the session key\r\nis CryptDeriveKey’d based on the MD5 uppercase hex digest of the bot ID. \r\nResponses from the C\u0026C also contain an RSA signature which is verified using an embedded public RSA key.  \r\nThe first request to the C\u0026C server is a key exchange where an RSA key pair is generated by the malware, and the public\r\nkey is sent to the C\u0026C server. There is no response from the C\u0026C for this request. Session keys used in future responses\r\nfrom the C\u0026C server will be encrypted using this key. \r\nThe second request is an initial beacon to the C\u0026C server. The data is a 479-byte structure containing: \r\nOffset  Size  Name  Notes \r\n0x00  4-bytes  Length \r\n0x04  8-bytes  Random value \r\n0x0C  8-bytes  Checksum  Value = data length + random value \r\n0x14  4-bytes  Affiliate ID  See Configuration section above \r\n0x18  4-bytes  Command  Described below \r\n0x1c  4-bytes  Sub-command  Described below \r\n0x20  4-bytes  Version  See Configuration section above \r\n0x24  4-bytes  Is admin flag \r\n0x28  4-bytes  Process integrity level \r\n0x2c  4-bytes  Architecture \r\n0x30  4-bytes  Windows version  Encoded into a DWORD value \r\n0x34  4-bytes  Time zone bias \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot\r\nPage 6 of 13\n\n0x38  36-bytes  Unknown null bytes \r\n0x5c  41-bytes  Bot ID \r\nPrepended with string length and CRC32 value. \r\nMD5 uppercase hex digest of hardware profile GUID \r\n0x85  41-bytes  Embedded hash value \r\nPrepended with string length and CRC32 value. \r\nSee Configuration section above \r\n0xae  41-bytes  Checksum 2 \r\nPrepended with string length and CRC32 value. \r\nMD5 uppercase hex digest of affiliate ID, bot ID, and\r\nembedded hash values concatenated together \r\n0xd7  41-bytes \r\nMD5 uppercase hex digest of\r\nthree random values \r\nPrepended with string length and CRC32 value \r\n0x100  remaining  Unknown null bytes \r\nOnce decrypted (this particular response uses mode 0 and an extra layer of mode 3), the response from the C\u0026C for the\r\ninitial beacon is an echo of the request.  \r\nOther commands use similar structures but will not be detailed in this post. \r\nCommands \r\nSome of the main C\u0026C commands we have identified include: \r\nCommand 1024, Sub-command 0 \r\nThe initial beacon described in the C\u0026C section above. \r\nCommand 2048, Sub-command 0 \r\nThis command returns three hash values. It is unclear what the hashes are of, but they represent: \r\nCurrent set of “CommandRecord”s \r\nCurrent set of modules and/or files to download and execute \r\nCurrent set of “OnlineRec”s \r\nCommand 2048, Sub-command 1 \r\nGet updated list of C\u0026C IP addresses. \r\nCommand 2048, Sub-command 2 \r\nThis command returns a list of hash values. The hash values represent individual “CommandRecord”s.  \r\nCommand 2048, Sub-command 3 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot\r\nPage 7 of 13\n\nThis command is used to fetch a “CommandRecord”. These records map to three commands: \r\nSwitch to TOR C\u0026C communications \r\nSet C\u0026C sleep value \r\nEnable the built-in stealer and system information components \r\nThe stealer component steals credentials from various software such as web browsers and File Transfer Protocol\r\n(FTP) clients. The system information component collects system information seen below in Figure 5: \r\n \r\nFigure 5: Example output from stealer/system information report \r\nCommand 2048, Sub-command 4 \r\nThis command is used to send arbitrary data such as an initial screenshot and report from the stealer/system\r\ninformation components to the C\u0026C server. \r\nCommand 2048, Sub-command 6 \r\nThis command returns a set of “OnlineRec”s. Referencing our DanaBot control panel revealed blog post, these records seem\r\nto map to similar functionality accessible from the “Online” tab of the version 3 control panel seen below in Figure 6: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot\r\nPage 8 of 13\n\nFigure 6: “Online” tab of version 3 control panel \r\nThis includes functionality such as command shell, file system access, screen/keyboard/mouse access, and SOCKS proxy. \r\nCommand 2048, Sub-command 8  \r\nNote: all run modes detailed below reference the malware execution section above \r\nThis command returns a list of hashes. The hash values represent individual file records. File records are downloaded with\r\ncommand 2048, sub-command 9. File records are used to download files or modules to execute. Executable files can\r\nbe run using: \r\nregsvr32.exe \r\nrundll32.exe \r\nCreateProcess \r\nProcess injection into secondary component using running mode 2 \r\nModules are known as “MLocalProcess”s and are loaded into secondary components using run mode 3. They communicate\r\nwith the main component over a localhost connection. At the time of publication, we have not seen any modules being\r\ndistributed by the C\u0026Cs. Based on previous versions of DanaBot, we suspect that the modules will enable the\r\nfollowing functionality: \r\nPerson-in-the-browser functionality along with web injects \r\nVideo recording of the screen \r\nKeylogging \r\nVNC/RDP \r\nCommand 2048, Sub-command 10 \r\nUsed to download TOR. The TOR client will be loaded into a secondary component using running mode 1. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot\r\nPage 9 of 13\n\nDistribution Via Cracks Websites \r\nProofpoint researchers were able to narrow down at least one of the DanaBot distribution methods to various software warez\r\nand cracks websites that supposedly offer software keys and cracks for a free download, including anti-virus programs,\r\nVPNs, graphics editors, document editors, and games. However, the files distributed by these sites are a bundle of several\r\ndifferent malware, including DanaBot. \r\n \r\nFigure 7: The investigation into warez sites started from a December 22, 2020 blog on Dalvik Planet \r\n \r\nFigure 8: Example of a cracks site offering a popular graphics editor keygen for download \r\nA random file “600117809bae5__Adobe-Photoshop-CC-2211138-Crack-Incl-Keygen-X64-2021.zip” was downloaded and\r\nanalyzed from one of the sites. It contained several “README” files and a password-protected archive containing\r\nthe initial dropper for the malware bundle, “setup_x86_x64_install.exe.”  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot\r\nPage 10 of 13\n\nFigure 9: A zip archive downloaded from a warez site containing the initial dropper for the malware bundle \r\nRunning this executable generated the following traffic. \r\n \r\nFigure 10: Network traffic resulting from running “setup_x86_x64_install.exe” \r\nA brief description of this traffic and the malware components is below, but we have not conducted a full analysis of the\r\nfiles.  \r\n1. Stage 1: drops and runs a stealer component and downloads stage 2 \r\n1.a. Stealer: the first two network\r\nrequests, hxxp[:]//eressedn27[.]top/index.php and hxxp://morttttq12[.]top/index.php, belong to the stealer component. The\r\nstealer collects and uploads a zip with information about the infected machine, including: \r\nBrowser's information: saved username and password values, saved forms, credit card-related information, and cookies—from browsers including Chrome, Brave, Vivaldi, Opera, Avast, Firefox \r\nScreenshot: screenshot of the Desktop \r\nSystem Information: Operating System, language, keyboard languages, local time, username, CPU, RAM, video\r\ncard, display resolution, installed software \r\nCryptocurrency / wallets: we observed strings (but did not confirm exact functionality) related to\r\ncryptocurrency wallets and exchanges such as: Coinomi, waves-exchange, Ledger Live, Electrum, Electron Cash,\r\nJaxx, Exodus, MultiBitHD, and Atomic. \r\n1.b. Downloads stage 2: the following network request is a download of the next stage, “lv.exe” \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot\r\nPage 11 of 13\n\n2. Stage 2: drops a miner and downloads DanaBot \r\n2.a. Miner: a file is dropped (not analyzed) that appears to be an AutoIT cryptocurrency miner \r\n2.b. Download DanaBot: DanaBot is downloaded from hxxp[:]//45.147.230[.]58/palata.exe \r\nResearch performed by CSIS (Center for Strategic and International Studies) appears consistent with the same actor\r\nthat Proofpoint researchers found. CSIS described a different malware bundle that may include AZORult,\r\nPredator the Thief, Smoke Loader, Redline Stealer, Amadey, Ficker Stealer, and Raccoon Stealer. However, this is likely\r\ndue to the involvement of a Traffic Direction System (TDS) serving different payloads depending on factors such as\r\ngeographic location of the victim. The  Indicators of Compromise (IOC) reported by CSIS included the domain chrome-booster[.]com which Proofpoint also observed in our network traffic screenshot (above) leading to the download\r\nof DanaBot via a 302 redirect. Finally, the CSIS research described the number of infections in hundreds of thousands in a\r\nspan of approximately 1 month. The infections focused on quantity instead of quality and ranged across many\r\ncountries including United States, Canada, India, Turkey, Brazil, and others.  \r\nConclusion \r\nFor almost two years, DanaBot was one of the top banking malwares being used in the crimeware threat landscape. Multiple\r\nthreat actors were distributing and using it to target financials in many countries. In the middle of 2020, DanaBot activity\r\ndropped off. Some of the affiliates that were using it have continued their campaigns using other banking\r\nmalware (e.g. Ursnif and Zloader). It is unclear whether COVID-19, competition from other banking malware,\r\nredevelopment time, or something else caused the dip, but it looks like DanaBot is back and trying to regain its foothold in\r\nthe threat landscape. We assess the number of DanaBot affiliates will grow and that DanaBot will once again be distributed\r\nvia phishing campaigns within the next few months.\r\nIndicators of Compromise \r\nIndicator  Type  Notes \r\nc0eb802f394e758da4feb0d6c3b817bf1f64880ab9bc851937d5ef774161585d  SHA-256  Analyzed sample, affiliate ID 3 \r\n23.226.132.92 \r\nIP\r\nAddress \r\nC2 of analyzed sample \r\n23.106.123.249 \r\nIP\r\nAddress \r\nC2 of analyzed sample \r\n108.62.141.152 \r\nIP\r\nAddress \r\nC2 of analyzed sample \r\n104.144.64.163 \r\nIP\r\nAddress \r\nC2 of analyzed sample \r\n5jjsgjephjcua63go2o5donzw5x4hiwn6wh2dennmyq65pbhk6qflzyd\\.onion  Hostname  TOR C2 of analyzed sample \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot\r\nPage 12 of 13\n\n83a67ecd166b919255b264718993c284a3238971a24c939c45e0c525f3361a43  SHA-256  Affiliate ID 21 \r\n149.129.212.179 \r\nIP\r\nAddress \r\nC2 of affiliate ID 21 sample \r\n47.254.247.133 \r\nIP\r\nAddress \r\nC2 of affiliate ID 21 sample \r\n159.89.114.62 \r\nIP\r\nAddress \r\nC2 of affiliate ID 21 sample \r\n138.197.139.56 \r\nIP\r\nAddress \r\nC2 of affiliate ID 21 sample \r\nab3c72aaacbe2c99646bf4d91e177585631b164f8cd9e9e5eb7a180ce7d945d5  SHA-256 \r\n600117809bae5__Adobe-Photoshop-2211138-Crack-Incl-Keygen-X64-\r\n2021.zip \r\nceb0ad27aaf97a5a33664f49aa107ca421c3f0a6e0b9a3c37f93455a258f3c04  SHA-256 \r\nDanaBot downloaded\r\nfrom hxxp[:]//45.147.230[.]58/palata\r\nEmerging Threats Signatures \r\nETPRO TROJAN Danabot Key Exchange Request \r\nETPRO TROJAN Danabot Command Beacon Request\r\nIs your institution protected against malware attacks? Learn about Cybersecurity for Financial Services Firms.\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot\r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot\r\nPage 13 of 13\n\n5jjsgjephjcua63go2o5donzw5x4hiwn6wh2dennmyq65pbhk6qflzyd\\.onion Command and Control \nThe C\u0026C protocol in version 4 is similar to version 3. An example request is shown in Figure 4:\n Page 4 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot" ], "report_names": [ "new-year-new-version-danabot" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434623, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bef40e70d5e5fb8384d13acb9cd2d3e36e5bc354.pdf", "text": "https://archive.orkl.eu/bef40e70d5e5fb8384d13acb9cd2d3e36e5bc354.txt", "img": "https://archive.orkl.eu/bef40e70d5e5fb8384d13acb9cd2d3e36e5bc354.jpg" } }