{ "id": "434d752b-36a3-4fac-89d1-7dd2fc68e45a", "created_at": "2026-04-06T00:18:55.01926Z", "updated_at": "2026-04-10T03:31:13.728503Z", "deleted_at": null, "sha1_hash": "f46231a03436994605eb7637c4f82daa778487ee", "title": "Darkhotel’s attacks in 2015", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1579572, "plain_text": "Darkhotel’s attacks in 2015\r\nBy GReAT\r\nPublished: 2015-08-10 · Archived: 2026-04-05 17:15:24 UTC\r\nDarkhotel APT attacks dated 2014 and earlier are characterized by the misuse of stolen certificates, the\r\ndeployment of .hta files with multiple techniques, and the use of unusual methods like the infiltration of hotel Wi-Fi to place backdoors in targets’ systems. In 2015, many of these techniques and activities remain in use.\r\nHowever, in addition to new variants of malicious .hta, we find new victims, .rar attachments with RTLO\r\nspearphishing, and the deployment of a 0day from Hacking Team.\r\nThe Darkhotel APT continues to spearphish targets around the world, with a wider geographic reach than its\r\nprevious botnet buildout and hotel Wi-Fi attacks. Some of the targets are diplomatic or have strategic commercial\r\ninterests.\r\nThe location of Darkhotel’s targets and victims in 2015:\r\nNorth Korea\r\nRussia\r\nSouth Korea\r\nJapan\r\nBangladesh\r\nThailand\r\nIndia\r\nMozambique\r\nGermany\r\n2015 Darkhotel .hta and backdoor-related, exploit-related and c2 sites:\r\nstoryonboard[.]net\r\ntisone360[.]org\r\nopenofficev[.]info\r\nsaytargetworld[.]net\r\nerror-page[.]net\r\neonlineworld[.]net\r\nenewsbank[.]net\r\nthewordusrapid[.]com\r\n2015 spearphishing incident attachment name subset:\r\nschedule(6.1~6).rar -\u003e schedule(6.1~6)_?gpj.scr\r\nschedule(2.11~16).rar -\u003e schedule(2.11~16)_?gpj.scr\r\ncongratulation.rar -\u003e congratulation_?gpj.scr\r\nhttps://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nPage 1 of 16\n\nletter.rar -\u003e letter_?gpj.scr\r\nConsistent use of obfuscated .hta downloaders\r\nWhether the infection is achieved through spearphishing, physical access to a system or the Hacking Team Flash\r\n0day, there frequently seems to be a common method for a newly-infected system to communicate with\r\nDarkhotel’s c2:\r\nA lightly obfuscated (double escaped set of javascript variable values) script maintained within an .hta file writes\r\nan executable to disk and executes it.\r\nIt is interesting that this particular group has for years now deployed backdoor and downloader code in the form of\r\n.hta files. In 2010, we observed it re-purposing articles on North Korea by the US think-tank, Brookings Institute,\r\nin order to attack North Korean-related targets with malicious code buried in .hta files. It also emailed links to its\r\nmalicious .hta files to North Korean tourist groups, economists with an interest in North Korea, and more. It’s\r\nsomewhat strange to see such heavy reliance on older Windows-specific technology like HTML applications,\r\nintroduced by Microsoft in 1999.\r\nFrom the recent sendspace[.]servermsys[.]com/downloader.hta:\r\nAfter execution and escaping a couple of variables, the .hta uses ancient Adodb.stream components in order to\r\nwrite out a string xor’d with 0x3d as an executable file and runs it.\r\nhttps://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nPage 2 of 16\n\nThis code results in the execution of “internet_explorer_Smart_recovery.exe”\r\n054471f7e168e016c565412227acfe7f, and a hidden browser window phoning back to its c2. In this case, it seems\r\nthat Darkhotel operators are checking as to whether or not the victim’s default browser is Internet Explorer, as all\r\nversions of IE return the value “0” and other browsers leave “appMinorVersion” undefined. This data collection\r\nseems somewhat odd, because .hta files are supported and run by mshta.exe on Windows systems only, still\r\ndelivered with Windows 8. Perhaps it is an artefact from early development of the code. Here is a recent version:\r\n“hxxp://sendspace[.]servermsys[.]com/readme.php?type=execution\u0026result=created_and_executed\u0026info=” +\r\nnavigator.appMinorVersion + “\r\nThe “internet_explorer_Smart_recovery.exe” file is a simple obfuscated downloader. A series of xor 0x28 loops\r\ndecrypt the contents of a self-deletion batch file, which is then written to disk and executed. Later in the execution,\r\na more complex rc4 loop decrypts the download url and other strings and imports.\r\nhttps://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nPage 3 of 16\n\nWhen finished, this url string decryption and connectback looks like\r\nhttp://sendspace[.]servermsys[.]com/wnctprx. The file is downloaded (b1f56a54309147b07dda54623fecbb89) to\r\n“.tmp” file in %temp%, executed, and the downloader exits. This larger file is a backdoor/downloader that\r\nincludes ssh functionality, and drops its keys to disk for ssh interaction. We find older Darkhotel information\r\nstealers dropped and run on the system by these downloaders.\r\nSpearphishing and .rar Attachments with RTLO\r\nThe Darkhotel APT will relentlessly spearphish specific targets in order to successfully compromise systems.\r\nSome targets are spearphished repeatedly with much the same social-engineering schemes. For example, the\r\nattachment “schedule(2.11~16).rar” could be sent on February 10th, with Darkhotel returning to the same targets\r\nin late May for a second attempt with attachment “schedule(6.1~6).rar”.\r\nhttps://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nPage 4 of 16\n\nIt consistently archives RTLO .scr executable files with in .rar archives, in order to appear to the target as\r\ninnocuous .jpg files. These executable files are lite droppers, maintaining these decoy jpeg files, and code to create\r\nan lnk downloader.\r\nhttps://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nPage 5 of 16\n\nWhen the target attempts to open what they think is a jpg image file, the executable code runs and drops a jpg\r\nimage to disk, then opens it with mspaint.exe in the background. This “congratulations” document is in Korean,\r\nrevealing a likely characteristic of the intended target.\r\nhttps://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nPage 6 of 16\n\nWhile the image is displayed, the code drops an unusual mspaint.lnk shortcut to disk and launches it. The shortcut\r\nmaintains a multiline target shell script. This technique is also used by other APTs as persistence mechanisms, as\r\ndocumented by our colleagues. The 64kb lnk file is downloader code:\r\nhttps://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nPage 7 of 16\n\nWhen this lnk file is executed, it begins an AJAX-based download process for the “unzip.js” file\r\n(a07124b65a76ee7d721d746fd8047066) on openofficev.info. This is another wscript file implementing AJAX to\r\ndownload and execute a relatively large compiled executable:\r\nhttps://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nPage 8 of 16\n\nThis executable code is saved to %temp%\\csrtsrm.exe and executed there. It is a relatively large executable (~1.2\r\nmb) that injects malicious code and spawns remote threads into legitimate processes.\r\nStolen certificates and evasion\r\nThe group appears to maintain a stockpile of stolen certificates and deploys their downloaders and the backdoors\r\nsigned with them. Some of the more recent revoked certificates include ones that belong to Xuchang Hongguang\r\nTechnology Co. Ltd.\r\nDarkhotel now tends to hide its code behind layers of encryption. It is likely that it has slowly adapted to attacking\r\nbetter-defended environments and prefers not to burn these stolen digital certificates. In previous attacks it would\r\nsimply have taken advantage of a long list of weakly implemented, broken certificates.\r\nNot only are its obfuscation techniques becoming stronger, but its anti-detection technology list is growing. For\r\nexample, this signed downloader (d896ebfc819741e0a97c651de1d15fec) decrypts a set of anti-malware strings in\r\nstages to identify defensive technologies on a newly-infected system, and then opens each process, looking for a\r\nmatching image name:\r\nc:\\avast! sandbox\\WINDOWS\\system32\\kernel32.dll – Avast!\r\navp.exe – Kaspersky Lab\r\nmcagent.exe;mcuicnt.exe – Intel/Mcafee\r\nbdagent.exe – BitDefender\r\nhttps://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nPage 9 of 16\n\nravmon.exe,ravmond.exe – Beijing Rising\r\n360tray.exe,360sd.exe,360rp.exe,exeMgr.exe – Qihoo 360\r\nayagent.aye,avguard.;avgntsd.exe – Avira Antivirus\r\nccsvchst.exe,nis.exe – Symantec Norton\r\navgui.exe,avgidsagent.exe,avastui.exe,avastsvc.exe – Avast!\r\nmsseces.exe;msmpeng.exe – Microsoft Security Essentials and Microsoft Anti-Malware Service\r\nAVK.exe;AVKTray.exe – G-Data\r\navas.exe – TrustPort AV\r\ntptray.exe – Toshiba utility\r\nfsma32.exe;fsorsp.exe – F-Secure\r\neconser.exe;escanmon.exe – Microworld Technologies eScan\r\nSrvLoad.exe;PSHost.exe – Panda Software\r\negui.exe;ekrn.exe – ESET Smart Security\r\npctsSvc.exe;pctsGui.exe – PC Tools Spyware Doctor\r\ncasc.exe;UmxEngine.exe – CA Security Center\r\ncmdagent.exe;cfp.exe – Comodo\r\nKVSrvXP.exe;KVMonXP.exe – Jiangmin Antivirus\r\nnsesvc.exe;CClaw.exe – Norman\r\nV3Svc.exe – Ahnlab\r\nguardxup. – IKARUS\r\nFProtTray. – F-Prot\r\nop_mon – Agnitum Outpost\r\nvba332ldr.;dwengine. – DrWeb\r\nEven the identifying information that the backdoor seeks from a system is not decrypted until runtime. Like the\r\n“information-stealer” component documented in our previous Darkhotel technical report, this component seeks to\r\nsteal a set of data with which to identify the infected system. Much of the information is collected with the same\r\nset of calls, i.e. kernel32.GetDefaultSystemLangID, kernel32.GetVersion, and kernel32.GetSystemInfo:\r\nDefault system codepage\r\nNetwork adapter information\r\nProcessor architecture\r\nHostname and IP address\r\nWindows OS and Service Pack versions\r\nEssentially, much of this information-stealer code is the same as that observed in previous attacks.\r\nThe tisone360.com site was especially interesting to us. In April 2015, Darkhotel was email-phishing with links to\r\nearlier (cve-2014) Flash exploits, and then, at the beginning of July, it began to distribute what is reported to be a\r\nleaked Hacking Team Flash 0day.\r\nIt looks like the Darkhotel APT may have been using the leaked HackingTeam Flash 0day to target specific\r\nsystems. We can pivot from “tisone360.com” to identify some of this activity. The site was up and active as late as\r\n22 July, 2015. However, this looks to be a small part of its activity. In addition to the icon.swf HT 0day\r\nhttps://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nPage 10 of 16\n\n(214709aa7c5e4e8b60759a175737bb2b), it looks as though the “tisone360.com” site was delivering a Flash CVE-2014-0497 exploit in April. We reported the related vulnerability to Adobe in January 2014, when it was being\r\nused by the Darkhotel APT.\r\nRecently, the Darkhotel APT has maintained multiple working directories on this site.\r\nIt is the ims2 directory that is the most active. It contains a set of backdoors and exploits. The most interesting of\r\nthese is the reported Hacking Team Flash 0day, icon.swf. In the days following the public mention of this server,\r\nthe crew slowly tightened down open access to /ims2/. Either way, the contents continued to be actively used.\r\nicon.swf (214709aa7c5e4e8b60759a175737bb2b) -\u003e icon.jpg (42a837c4433ae6bd7490baec8aeb5091)\r\n-\u003e %temp%\\RealTemp.exe (61cc019c3141281073181c4ef1f4e524)\r\nAfter icon.jpg is downloaded by the flash exploit, it is decoded with a multi-byte xor key 0xb369195a02. It then\r\ndownloads further components.\r\nIt’s interesting to note that the group appears to be altering the compilation and linker timestamps of its executable\r\ncode to dates in 2013. We see this across multiple samples deployed and observed for the first time in mid-2015,\r\nincluding the icon.jpg downloader.\r\nA log of visits to the site directory records that the directory was set up on July 8th. A handful of visits to a\r\nspecific url on the server from five systems based in the following locations were recorded on the 8th and 9th.\r\nSeveral of these are likely to be Darkhotel APT targets:\r\nGermany\r\nSouth Korea\r\nChina (likely to be research)\r\nUS\r\nJapan\r\nhttps://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nPage 11 of 16\n\nHowever, one of those systems hammered the site on the 9th, visiting almost 12,000 times in 30 minutes. This\r\nvolume of traffic is likely to represent a noisy scanning research attempt and not someone DoS’ing the site:\r\nRecorded site visits following the 9th are likely to be unreliable and may be more researchers, responding to the\r\ngrowing notoriety of the site following the public reports on the 9th. Many of these approximately 50 visits come\r\nfrom a subset of the above systems and are repeated multiple times. Visits from the following locations occurred\r\non or after the 10th:\r\nGermany (likely to be research)\r\nUkraine (likely to be research)\r\nAmazon Web Services, multiple locations (likely to be research)\r\nGooglebot, multiple locations\r\nUS\r\nIreland (likely to be research)\r\nRussia\r\nBrazil\r\nChina\r\nFinland\r\nCanada\r\nTaiwan\r\nFrance (likely to be research)\r\nCzech Republic\r\nA consistent attack flow\r\nThe Darkhotel group tends to stick with what works. For example, for years we saw repeated use of spearphishing\r\ntargets directly with .hta files. Now, as with the tisone360.com site above, we have seen repeated use in 2015 of a\r\ncreative chain of delivery sets.\r\ndownloader -\u003e hta checkin -\u003e info stealer -\u003e more compiled components.\r\ndropper -\u003e wsh script -\u003e wsh script -\u003e info stealer -\u003e more compiled components\r\nspearphish -\u003e dropper -\u003e hta checkin -\u003e downloader -\u003e info stealer\r\nWhile a chain of delivery that includes obfuscated scripts within .hta files occurred as far back as 2011, the\r\nvolume appears to have picked up in 2014 and now 2015.\r\nopenofficev[.]info (2015)\r\noffice-revision[.]com (2014)\r\nhttps://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nPage 12 of 16\n\nonline.newssupply[.]net (2011)\r\nHiding infrastructure in plain sight\r\nThe group is now more vigilant in maintaining its sites, tightening up configuration and response content. Right\r\nnow, its c2 responds with anti-hero images of “Drinky Crow” from the alt Maakies cartoon:\r\nOther Darkhotel c2s tend to blend in with random sites on the web when incorrect or missing pages are visited.\r\nThey are ripping images either from FOTOLIA or articles on artisanal ice cream makers here:\r\nhttps://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nPage 13 of 16\n\nTechnical details\r\nHTA md5:\r\n021685613fb739dec7303247212c3b09\r\n1ee3dfce97ab318b416c1ba7463ee405\r\n2899f4099c76232d6362fd62ab730741\r\n2dee887b20a06b8e556e878c62e46e13\r\n6b9e9b2dc97ff0b26a8a61ba95ca8ff6\r\n852a9411a949add69386a72805c8cb05\r\nbe59994b5008a0be48934a9c5771dfa5\r\ne29693ce15acd552f1a0435e2d31d6df\r\nfa67142728e40a2a4e97ccc6db919f2b\r\nfef8fda27deb3e950ba1a71968ec7466\r\nSpearphish attachments md5:\r\n5c74db6f755555ea99b51e1c68e796f9\r\nc3ae70b3012cc9b5c9ceb060a251715a\r\n560d68c31980c26d2adab7406b61c651\r\nhttps://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nPage 14 of 16\n\nda0717899e3ccc1ba0e8d32774566219\r\nd965a5b3548047da27b503029440e77f\r\ndc0de14d9d36d13a6c8a34b2c583e70a\r\n39562e410bc3fb5a30aca8162b20bdd0 (first seen late 2014, used into 2015)\r\ne85e0365b6f77cc2e9862f987b152a89 (first seen late 2014, used into 2015)\r\n2015 large downloader md5:\r\n5e01b8bc78afc6ecb3376c06cbceb680\r\n61cc019c3141281073181c4ef1f4e524\r\n3d2e941ac48ae9d79380ca0f133f4a49\r\nfc78b15507e920b3ee405f843f48a7b3\r\nda360e94e60267dce08e6d47fc1fcecc\r\n33e278c5ba6bf1a545d45e17f7582512\r\nb1f56a54309147b07dda54623fecbb89\r\n009d85773d519a9a97129102d8116305\r\nInfostealers dropped in 2015\r\n61637a0637fb25c53f396c305efa5dc5\r\na7e78fd4bf305509c2fc1b3706567acd\r\nSubhosts and urls:\r\ntisone360[.]com/img_h/ims2/icon.swf\r\ntisone360[.]com/img_h/ims2/1.php\r\ntisone360[.]com/img_h/ims2/icon.jpg\r\ntisone360[.]com/noname/img/movie.swf\r\ntisone360[.]com/noname/minky/face.php\r\ntisone360[.]com/htdoc/ImageView.hta\r\ntisone360[.]com/htdoc/page1/page.html\r\ndaily[.]enewsbank[.]net/wmpsrx64\r\ndaily[.]enewsbank[.]net/newsviewer.hta\r\nsaytargetworld[.]net/season/nextpage.php\r\nsendspace[.]servermsys.com/wnctprx\r\nerror-page[.]net/update/load.php\r\nphoto[.]storyonboard[.]net/wmpsrx64\r\nphoto[.]storyonboard[.]net/photoviewer.hta\r\nphoto[.]storyonboard[.]net/readme.php\r\nunionnewsreport[.]net/aeroflot_bonus/ticket.php\r\nwww[.]openofficev[.]info/xopen88/office2\r\nwww[.]openofficev[.]info/dec98/unzip.js\r\nwww[.]openofficev[.]info/open99/office32\r\nwww[.]openofficev[.]info/decod9/unzip.js\r\nhttps://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nPage 15 of 16\n\nParallel and Previous Research\r\nCVE-2014-0497 – A 0-day Vulnerability\r\nHacking Team Flash Zero-Day Tied To Attacks In Korea and Japan… on July 1\r\nThe Darkhotel APT\r\nRead more about how you can protect your company against the Darkhotel threat actor here.\r\nSource: https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nhttps://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/\r\nPage 16 of 16\n\n https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/ \nIt consistently archives RTLO .scr executable files with in .rar archives, in order to appear to the target as\ninnocuous .jpg files. These executable files are lite droppers, maintaining these decoy jpeg files, and code to create\nan lnk downloader. \n Page 5 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/" ], "report_names": [ "darkhotels-attacks-in-2015" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434735, "ts_updated_at": 1775791873, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f46231a03436994605eb7637c4f82daa778487ee.pdf", "text": "https://archive.orkl.eu/f46231a03436994605eb7637c4f82daa778487ee.txt", "img": "https://archive.orkl.eu/f46231a03436994605eb7637c4f82daa778487ee.jpg" } }