{
	"id": "a89d56ec-d692-4d86-af8c-243d8dc3455a",
	"created_at": "2026-04-06T00:13:34.093178Z",
	"updated_at": "2026-04-10T03:33:36.97679Z",
	"deleted_at": null,
	"sha1_hash": "e7bc514bb28a57ca183add306074bb3dfb55f6cf",
	"title": "Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2357014,
	"plain_text": "Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets\r\nGlobal Organizations\r\nBy Lior Rochberger, Tom Fakterman\r\nPublished: 2025-02-27 · Archived: 2026-04-05 12:44:47 UTC\r\nExecutive Summary\r\nThis article reviews a cluster of malicious activity that we identify as CL-STA-0049. Since at least March 2023, a\r\nsuspected Chinese threat actor has targeted governments, defense, telecommunication, education and aviation\r\nsectors in Southeast Asia and South America.\r\nThe observed activity includes collecting sensitive information from compromised organizations, as well as\r\nobtaining information about high-ranking officials and individuals at those organizations.\r\nDuring our investigation, we were able to shed new light on the attacker’s tactics, techniques and procedures\r\n(TTPs), including the attack flow, entry vector via web shells and covert communication channels.\r\nThe threat actor behind this activity cluster used a recently discovered sophisticated backdoor we named Squidoor\r\n(aka FinalDraft), which targets both Windows and Linux systems. This article reveals a new Windows variant of\r\nSquidoor, and provides a deeper understanding of Squidoor's command and control server (C2) communication\r\nthan has been previously described.\r\nSquidoor is an advanced backdoor that supports multiple modules, designed for stealth. It features a rarely seen set\r\nof capabilities, including using multiple protocols to communicate with the C2 such as the following:\r\nOutlook API\r\nDomain Name System (DNS) tunneling\r\nInternet Control Message Protocol (ICMP) tunneling\r\nBased on our analysis of the TTPs, we assess with moderate-high confidence that this activity originates in China.\r\nOur objective in sharing this analysis is to equip cybersecurity professionals in these high-risk sectors with\r\neffective detection and mitigation strategies against these advanced threats.\r\nPalo Alto Networks customers are better protected from the threats discussed in this article through the following\r\nproducts and services:\r\nCortex XDR and XSIAM\r\nCloud-Delivered Security Services for the Next-Generation Firewall, including:\r\nAdvanced WildFire\r\nAdvanced URL Filtering\r\nAdvanced Threat Prevention\r\nhttps://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/\r\nPage 1 of 15\n\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nInitial Access to Networks: Deploying Multiple Web Shells\r\nTo gain access to networks, the threat actor behind CL-STA-0049 primarily attempted to exploit various\r\nvulnerabilities in Internet Information Services (IIS) servers. They followed this initial compromise with the\r\ndeployment of multiple web shells on infected servers. These web shells served as persistent backdoors, allowing\r\nthe threat actor to maintain access and execute commands on compromised systems.\r\nOur research identified four primary web shells used in the attack:\r\nOutlookDC.aspx\r\nError.aspx (1)\r\nError.aspx (2)\r\nTimeoutAPI.aspx\r\nThe deployed web shells exhibited significant similarities, indicating a common origin. The shared characteristics\r\ninclude the following:\r\nEmbedded decryption keys of the same length (and sometimes shared among different samples)\r\nExtensive obfuscation using junk code (shown in Figure 1 below)\r\nConsistent string patterns and code structures\r\nFigure 1 shows a code snippet of one of the web shells.\r\nFigure 1. Code snippet of a web shell used in the attack.\r\nThe threat actor stored some of the web shells on bashupload[.]com and downloaded and decoded them using\r\ncertutil, as shown in the command-line string in Figure 2. Bashupload is a web application that enables users to\r\nupload files using the command line and download them to another server.\r\nFigure 2. Certutil is used to retrieve web shells from bashupload.\r\nhttps://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/\r\nPage 2 of 15\n\nLateral Movement Within Compromised Endpoints: Spreading Web Shells\r\nWe observed that the threat actor attempted to spread the web shells across different servers. To do that, it used\r\ncurl and Impacket, as shown in Figure 3 below. The threat actor also tried to conceal one of the web shells as a\r\ncertificate and copy it to other servers using Windows Management Instrumentation (WMI).\r\nFigure 3. Cortex alert data showing attempts to download and copy web shells to remote machines.\r\nSquidoor: A Modular Stealthy Backdoor\r\nWe call the main backdoor the attackers used Squidoor. (Elastic Security Labs recently published similar research\r\non this activity cluster, referring to the backdoor as FinalDraft.) Squidoor is a sophisticated backdoor that was\r\nbuilt for stealth, allowing it to operate in highly monitored and secured networks.\r\nThe threat actors primarily used this backdoor to:\r\nMaintain access\r\nMove laterally\r\nCreate stealthy communication channels with its operators\r\nCollect sensitive information about the targeted organizations\r\nDuring our investigation, we discovered that Squidoor was in fact multi-platform malware, with versions for both\r\nWindows and Linux operating systems.\r\nSquidoor offers a range of different protocols and methods operators can use to configure the malware to\r\ncommunicate with its C2 server. The Windows version of Squidoor grants the attackers 10 different methods for\r\nC2 communication, and the Linux version allows nine.\r\nSome communication methods are meant for external communication with the C2, while other methods are for\r\ninternal communication between Squidoor implants within a compromised network. This variety of\r\ncommunication methods enables the attackers to adjust to different scenarios and stay under the radar.\r\nhttps://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/\r\nPage 3 of 15\n\nSquidoor can receive the following commands:\r\nCollect information about the infected machine\r\nExecute arbitrary commands\r\nInject payloads into selected processes\r\nDeliver additional payloads\r\nFigure 4 shows a diagram of the communication paths in a network infected with Squidoor, illustrating how threat\r\noperators configured most of the implants to only communicate internally to remain undetected.\r\nFigure 4. Example of communication paths for implants in a network infected with Squidoor.\r\nUsing a Rarely Observed LOLBAS Technique: Cdb.exe\r\nTo execute Squidoor, the threat actor abused the Microsoft Console Debugger binary named cdb.exe. Attackers\r\ndelivered cdb.exe to the infected environments, saved it to disk as C:\\ProgramData\\fontdrvhost.exe and used it to\r\nload and execute shellcode in memory. While using cdb.exe is a known living-off-the-land-binaries-and-scripts\r\n(LOLBAS) technique, its use is quite rare and has only been reported a handful of times.\r\nUpon execution, cdb.exe (renamed by the attacker to fontdrvhost.exe) loaded the shellcode from a file named\r\nconfig.ini.\r\nAfter the first execution, we observed the attackers using one of Squidoor’s payloads (LoadShellcode.x64.dll,\r\nloaded into mspaint.exe) to load and decrypt another Squidoor implant from a file on disk named wmsetup.log.\r\nFigure 5 illustrates these two flows of execution.\r\nhttps://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/\r\nPage 4 of 15\n\nFigure 5. The execution flow of loading Squidoor.\r\nSquidoor’s persistence was achieved using a scheduled task named Microsoft\\Windows\\AppID\\EPolicyManager.\r\nThis task executed the shellcode. Figure 6 shows the command to create the scheduled task to keep Squidoor\r\npersistent.\r\nFigure 6. Command to create a scheduled task to maintain Squidoor persistence on an affected\r\nWindows host.\r\nSquidoor Execution Flow\r\nOnce Squidoor was loaded into memory, it executed its exported function named UpdateTask. Squidoor’s\r\nexecution flow begins with decrypting its hard-coded configuration.\r\nThe configuration of Squidoor contains a single digit (0-9) corresponding to a switch case that determines which\r\ncommunication method it will use. There are other configuration fields that might not be used, depending on the\r\nvariant of the malware. These fields include values needed for the communication with the C2 server, which will\r\nvary depending on which communication method it uses.\r\nThese values can include the following:\r\nDomains\r\nIP addresses\r\nListening ports\r\nEncryption key\r\nAccess token\r\nCommunication Methods\r\nhttps://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/\r\nPage 5 of 15\n\nThe Windows version of Squidoor supports 10 different methods for C2 communication. Table 1 breaks out these\r\n10 different methods based on their corresponding switch case digits.\r\nSwitch Case\r\nDigit\r\nInternal Class Name Description\r\n0 CHttpTransChannel HTTP-based communication\r\n1 CReverseTcpTransChannel Reverse TCP connection to a remote server\r\n2 CReverseUdpTransChannel Reverse UDP connection to a remote server\r\n3 CBindTcpTransChannel\r\nListen for incoming TCP connections (suspected to be used\r\nfor only internal communication)\r\n4 CBindHttpTransChannel\r\nListen for incoming HTTP connections (become an HTTP\r\nServer)\r\n5 COutLookTransChannel Communicate via an Outlook mail API  \r\n6 CIcmpTransChannel Utilize ICMP tunneling for communication\r\n7 CDnsTransChannel Utilize DNS tunneling for communication\r\n8 CWebTransChannel\r\nCommunicate via a mail client retrieved from the\r\nconfiguration file\r\n9 CBindSMBTransChannel\r\nUse named pipes for communication (only internal\r\ncommunication, and only on the Windows version)\r\nTable 1. Switch-case values for Squidoor C2 communication methods.\r\nThese communication methods have distinct names in the malware’s code, as shown in Figure 7.\r\nhttps://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/\r\nPage 6 of 15\n\nFigure 7. Code snippets of Squidoor’s communication methods grouped by switch case.\r\nOutlook Transport Channel Analysis\r\nThis section examines the Outlook mail client communication method. Figure 8 shows the flow of this method.\r\nhttps://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/\r\nPage 7 of 15\n\nFigure 8. Flow of the communication mechanism via Outlook API for Squidoor.\r\nWhen executed with the COutLookTransChannel configuration, Squidoor will first log in to the Microsoft identity\r\nplatform using a hard-coded refresh token as shown in Figure 9. The Microsoft Graph API token is stored in the\r\nfollowing registry keys, based on the user’s privileges:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UUID\\\u003cuuid_stored_in_configuration\u003e\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UUID\\\u003cuuid_stored_in_configuration\u003e\r\nFigure 9. HTTP POST request by Squidoor for logging in to the Microsoft identity platform.\r\nNext, Squidoor sends an HTTP GET request to a specific Pastebin page that is hard coded in its configuration. The\r\nPastebin page is named Local365, and only contains the number 1. We suspect the attackers monitor these GET\r\nrequests to Pastebin as a method to track how many implants have connected via the Outlook API.\r\nNext, Squidoor uses the Outlook REST API to query the drafts folder, searching for mails with a subject\r\ncontaining the string p_{random_generated_number}. If it finds no such mail, Squidoor will send an email to the\r\nattackers with the aforementioned generated string as the subject, including a Base64-encoded random sequence\r\nof bytes in the content. Figure 10 shows an HTTP POST request of this C2 traffic.\r\nhttps://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/\r\nPage 8 of 15\n\nFigure 10. HTTP POST request for an email uploaded to the attackers’ Outlook account by\r\nSquidoor.\r\nThe attackers use the {random_generated_number} identifier to differentiate between different Squidoor implants\r\nthat query commands from the same Outlook mail inbox.\r\nAfter sending the initial beacon, Squidoor starts to query the email account for commands. To do so, it queries the\r\ndrafts folder for mails containing the string r_{random_generated_number} in the subject with a preceding r\r\ninstead of p with the same generated number value as before. Figure 11 shows an example of such a query sent by\r\nSquidoor.\r\nFigure 11. A query Squidoor uses to retrieve emails containing commands to execute.\r\nIf such an email exists, Squidoor will retrieve its contents and delete it from the attacker's mailbox. Next, the\r\ncontents of the retrieved message go through several stages of deobfuscation and decoding. This mechanism\r\nallows the malware to receive commands or additional malicious code from its C2 server disguised as innocent-looking Outlook network traffic.\r\nDecoding the Email Content\r\nThe decoding mechanism of the content of the mails is as follows:\r\n1. Transform the email to bytes by using the CryptStringToBinaryA WinAPI\r\n2. Decode from Base64 encoding\r\n3. Decode the content via a combination of AES and a custom XOR decryption algorithm\r\n4. Decompress the decoded content using zlib 1.2.12\r\nThe decompressed content tells Squidoor which command it should execute, along with any additional relevant\r\ndata for execution, such as additional payloads or file paths.\r\nSquidoor’s Main Capabilities\r\nSquidoor has a list of commands it can receive from the C2 server, which grants the attacker a variety of different\r\ncapabilities to gain full control over the infected machine. These capabilities include:\r\nHost reconnaissance and fingerprinting, including:\r\nUsername and privileges\r\nHostname\r\nIP address\r\nOperating system (OS) type\r\nExecuting arbitrary commands\r\nQuerying files and directories\r\nQuerying running processes\r\nExfiltrating files\r\nhttps://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/\r\nPage 9 of 15\n\nDeploying additional malware\r\nInjecting payloads into additional processes\r\nSending commands to other Squidoor implants via TCP\r\nSending commands to other Squidoor implants via named pipes (Windows variant only)\r\nSquidoor Code Injection\r\nSquidoor can receive a command from the C2 instructing the malware to perform code injection into an additional\r\nprocess. Squidoor injects a payload using classic DLL injection, calling the following Windows API functions\r\nRtlCreateUserThread, VirtualAllocEx and WriteProcessMemory.\r\nOn the Windows version, depending on the command the attackers sent, Squidoor will determine which process it\r\nwill use for injection. The two options available for the attacker are:\r\nAttempting to inject code into mspaint.exe\r\nIf mspaint.exe does not exist in system32 (as is the case in Windows 11), it injects conhost.exe\r\ninstead\r\nPerforming an injection into an already running process on the system determined by a process ID (PID)\r\nselected by the attacker\r\nModular Backdoor\r\nDuring our investigation, we observed Squidoor executing additional modules that it injected into other Windows\r\nOS processes, such as the following:\r\nmspaint.exe\r\nconhost.exe\r\ntaskhostw.exe\r\nvmtoolsd.exe\r\nFigure 12 shows how, in one instance, the threat actor delivered payloads (modules) that they injected into\r\nmultiple instances of mspaint.exe. The threat actor used these injected modules to move laterally using Windows\r\nRemote Management (WinRM), steal data and execute commands on remote endpoints. The modules require a\r\npassword as an argument to run, to evade dynamic analysis and sandboxes.\r\nThe observed passwords included:\r\nt0K1p092\r\nPeN17PFS50\r\nsElf98RqkF\r\nAslire597\r\nhttps://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/\r\nPage 10 of 15\n\nFigure 12. Squidoor injects multiple payloads into different mspaint.exe instances.\r\nThe mspaint.exe injected payloads were not written to the disk and were executed in system memory. From the\r\nbehavioral pattern, these payloads appear to support a number of command-line arguments to perform multiple\r\nactions such as the following:\r\nUploading or deleting files remotely\r\nExecuting PowerShell scripts without invoking the powershell.exe binary\r\nExecuting arbitrary commands\r\nStealing specific files\r\nPerforming pass the hash attacks\r\nEnumerating specific user accounts\r\nAbusing Pastebin to Store Configuration Data\r\nAs we previously mentioned, on some of its communication modes, Squidoor will send an HTTP GET request to\r\nPastebin.\r\nWe found two Pastebin accounts operated by the attackers and the aliases they created for themselves.\r\nOne of the accounts has been operational for almost a year, with the attacker adding new content occasionally.\r\nThe threat actor apparently used these Pastebin accounts to store components related to the different\r\ncommunication methods of the malware such as access tokens and API keys as shown in Figure 13 below.\r\nhttps://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/\r\nPage 11 of 15\n\nFigure 13. Example of a Pastebin account controlled by the attackers.\r\nAt the beginning of February 2025, the attackers deleted all the files shown in Figure 13 above, and added several\r\nnew ones, shown in Figure 14. Those files contain different Microsoft Graph API tokens and the titles suggest\r\ndifferent target names.\r\nFigure 14. Updated Pastebin page controlled by the attackers.\r\nIn addition, we suspect attackers used these accounts to track the number of Squidoor implants executed around\r\nthe world, by tracing the number of implants that queried Pastebin.\r\nConclusion\r\nThe threat actor behind the CL-STA-0049 cluster of activity has attacked high-value targets in South America and\r\nSoutheast Asia. The primary objective appears to be gaining a foothold and obtaining sensitive information from\r\nhttps://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/\r\nPage 12 of 15\n\ntheir targets. We assess with moderate-high confidence that this threat actor is of Chinese origin.\r\nSquidoor, the main backdoor used in this operation, is engineered for an enhanced level of stealth and offers 10\r\ndistinct methods for covert C2 communication. This versatility has allowed the attackers to adapt to various\r\nscenarios and minimize suspicious network traffic emanating from compromised environments.\r\nSquidoor's multi-platform implementations, with tailored versions for both Windows and Linux operating\r\nsystems, expand its reach and attack surface. This adaptability enables the malware to infiltrate diverse network\r\necosystems, potentially compromising a broader range of targets and complicating detection and mitigation efforts\r\nacross heterogeneous infrastructures.\r\nWe encourage security practitioners and defenders to study this report and use the information provided to\r\nenhance current detection, prevention and hunting practices to strengthen their security posture.\r\nProtections and Mitigations\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\nactivity cluster:\r\nThe Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated\r\nin light of the IoCs shared in this research.\r\nAdvanced URL Filtering identifies domains associated with this group as malicious.\r\nNext-Generation Firewall with the Advanced Threat Prevention security subscription can help block the\r\nattacks with best practices. Advanced Threat Prevention has inbuilt machine learning-based detection that\r\ncan detect exploits in real time.\r\nCortex XDR and XSIAM are designed to:\r\nPrevent the execution of known malicious malware and also prevent the execution of unknown\r\nmalware using Behavioral Threat Protection and machine learning based on the Local Analysis\r\nmodule.\r\nProtect against exploitation of different vulnerabilities using the Anti-Exploitation modules as well\r\nas Behavioral Threat Protection.\r\nDetect post-exploit activity, including credential-based attacks, with behavioral analytics through\r\nCortex XDR Pro and XSIAM.\r\nDetect user and credential-based threats by analyzing anomalous user activity from multiple data\r\nsources.\r\nProtect from threat actors dropping and executing commands from web shells using Anti-Webshell\r\nProtection.\r\nIf you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nhttps://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/\r\nPage 13 of 15\n\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 00080005045107\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSHA256 hash for Squidoor - Windows version (config.ini)\r\nf663149d618be90e5596b28103d38e963c44a69a5de4a1be62547259ca9ffd2d\r\nSHA256 hashes for Squidoor - Linux version\r\n83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8c\r\n8187240dafbc62f2affd70da94295035c4179c8e3831cb96bdd9bd322e22d029\r\nfa2a6dbc83fe55df848dfcaaf3163f8aaefe0c9727b3ead1da6b9fa78b598f2b\r\n3fcfc4cb94d133563b17efe03f013e645fa2f878576282805ff5e58b907d2381\r\nf45661ea4959a944ca2917454d1314546cc0c88537479e00550eef05bed5b1b9\r\nSHA256 hashes for associated web shells\r\n9f62c1d330dddad347a207a6a565ae07192377f622fa7d74af80705d800c6096\r\n461f5969b8f2196c630f0868c2ac717b11b1c51bc5b44b87f5aad19e001869cc\r\n224becf3f19a3f69ca692d83a6fabfd2d78bab10f4480ff6da9716328e8fc727\r\n6c1d918b33b1e6dab948064a59e61161e55fccee383e523223213aa2c20c609c\r\n81bd2a8d68509dd293a31ddd6d31262247a9bde362c98cf71f86ae702ba90db4\r\n7c6d29cb1f3f3e956905016f0171c2450cca8f70546eee56cface7ba31d78970\r\nc8a5388e7ff682d3c16ab39e578e6c529f5e23a183cd5cbf094014e0225e2e0a\r\n1dd423ff0106b15fd100dbc24c3ae9f9860a1fcdb6a871a1e27576f6681a0850\r\n82e68dc50652ab6c7734ee913761d04b37429fca90b7be0711cd33391febff0a\r\ne8d6fb67b3fd2a8aa608976bcb93601262d7a95d37f6bae7c0a45b02b3b325ad\r\n2b6080641239604c625d41857167fea14b6ce47f6d288dc7eb5e88ae848aa57f\r\n33689ac745d204a2e5de76bc976c904622508beda9c79f9d64c460ebe934c192\r\n5dd361bcc9bd33af26ff28d321ad0f57457e15b4fab6f124f779a01df0ed02d0\r\n945313edd0703c966421211078911c4832a0d898f0774f049026fc8c9e7d1865\r\na7d76e0f7eab56618f4671b5462f5c210f3ca813ff266f585bb6a58a85374156\r\n265ceb5184cac76477f5bc2a2bf74c39041c29b33a8eb8bd1ab22d92d6bebaf5\r\nDomains\r\nSupport.vmphere[.]com\r\nUpdate.hobiter[.]com\r\nmicrosoft-beta[.]com\r\nhttps://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/\r\nPage 14 of 15\n\nzimbra-beta[.]info\r\nmicrosoftapimap[.]com\r\nIP addresses\r\n209.141.40[.]254\r\n104.244.72[.]123\r\n47.76.224[.]93\r\nSource: https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/\r\nhttps://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/"
	],
	"report_names": [
		"advanced-backdoor-squidoor"
	],
	"threat_actors": [
		{
			"id": "68a86dfa-1a6d-4254-bd39-a9aa1129fdf5",
			"created_at": "2025-05-29T02:00:03.198435Z",
			"updated_at": "2026-04-10T02:00:03.855309Z",
			"deleted_at": null,
			"main_name": "REF7707",
			"aliases": [
				"CL-STA-0049",
				"Jewelbug"
			],
			"source_name": "MISPGALAXY:REF7707",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434414,
	"ts_updated_at": 1775792016,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e7bc514bb28a57ca183add306074bb3dfb55f6cf.pdf",
		"text": "https://archive.orkl.eu/e7bc514bb28a57ca183add306074bb3dfb55f6cf.txt",
		"img": "https://archive.orkl.eu/e7bc514bb28a57ca183add306074bb3dfb55f6cf.jpg"
	}
}