{"id":19126,"date":"2022-05-28T19:02:45","date_gmt":"2022-05-29T03:02:45","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/05\/28\/news-12859\/"},"modified":"2022-05-28T19:02:45","modified_gmt":"2022-05-29T03:02:45","slug":"news-12859","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/05\/28\/news-12859\/","title":{"rendered":"Spoofed Saudi Purchase Order Drops GuLoader: Part 1"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Given the current fluctuations in the energy market and the related rise in prices to consumers, it should be no surprise that threat actors are using lures to exploit the global interest in this issue.<\/p>\n<p>FortiGuard Labs recently discovered an e-mail using this tactic. The message was delivered to a coffee company in Ukraine that was seemingly sent by an oil provider in Saudi Arabia. Purporting to be a purchase order, the partial PDF file image displayed in the body of the email was actually a link to an ISO file hosted in the cloud that contained an executable for GuLoader. Also known as CloudEye and vbdropper, GuLoader dates to at least 2019 and is generally used to deploy other malware variants, such as Agent Tesla, Formbook, and Lokibot.<\/p>\n<p>What makes this case interesting is that the executable in question uses <a href=\"https:\/\/en.wikipedia.org\/wiki\/Nullsoft_Scriptable_Install_System\" target=\"_blank\">NSIS<\/a> (Nullsoft Scriptable Install System), a free, script-driven\u00a0installer\u00a0authoring tool for\u00a0Microsoft Windows, to deploy itself.<\/p>\n<p>Part one of this blog will detail our examination of the phishing e-mail and a static analysis of the embedded malware, while part two will provide a dynamic analysis of the malware along with its shellcode file, \u201crudesbies.Par\u201d.\u00a0<\/p>\n<p style=\"margin-left: 40.0px;\"><b>Affected Platforms:<\/b> Windows<br \/> <b>Impacted Users:<\/b> Windows users<br \/> <b>Impact:<\/b> Potential to deploy additional malware for additional purposes<br \/> <b>Severity Level:<\/b> Medium<\/p>\n<h2>The Phishing E-mail<\/h2>\n<p>Inviting a recipient to review an invoice or purchase order is a common phishing lure, which this attack path follows as well.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-saudi-purchase-order-drops-guloader\/_jcr_content\/root\/responsivegrid\/image.img.png\/1652996604956\/img1.png\" alt=\"Example of the Phishing e-mail.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. Phishing e-mail.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The e-mail claims to come from a known oil company in Saudi Arabia (this information has been redacted along with the recipient\u2019s details). Even without reviewing the e-mail headers, it is apparent straight away that the origins of this message may not be as claimed. Note the \u201cFrom\u201d address is actually \u201cinfo@zoneofzenith[.]com\u201d, which has little resemblance to the domain of any petroleum-based business.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-saudi-purchase-order-drops-guloader\/_jcr_content\/root\/responsivegrid\/image_594203541.img.jpeg\/1653091784884\/figure2.jpeg\" alt=\"HTML in Spoof email\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Email HTML<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The headers confirmed our initial suspicions about the origins of this e-mail and show that it was indeed sent from the \u201czoneofzenith[.]com\u201d domain.<\/p>\n<p>Investigating the e-mail further, we find that the recipient is provided with what is meant to look like a PDF document containing a supposed purchase order that is embedded in the body text (see Figure 1). A review of the underlying HTML of the e-mail, however, shows this not to be the case. The embedded \u201cdocument\u201d is instead a hypertext-linked image that connects to a Microsoft OneDrive cloud storage location.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-saudi-purchase-order-drops-guloader\/_jcr_content\/root\/responsivegrid\/image_1113626766.img.png\/1652996835725\/fig3.png\" alt=\"Figure 3. Microsoft OneDrive link.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. Microsoft OneDrive link.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>If clicked, the link delivers the recipient to a OneDrive location and asks them to download the \u201cpurchase order\u201d. Rather than a PDF, however, the file \u201cPO#23754-1.ISO\u201d is downloaded. This is the first step in the infection chain that will eventually deposit GuLoader onto the victim\u2019s system.<\/p>\n<h2>ISO<\/h2>\n<p>Microsoft Windows is generally designed to be as helpful as possible where known file types are involved. In this case, the .ISO file (optical disc image) that is downloaded is automatically mounted when clicked, thereby presenting the file contained within.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-saudi-purchase-order-drops-guloader\/_jcr_content\/root\/responsivegrid\/image_787725469.img.png\/1652996896640\/igm4.png\" alt=\"Figure 4. Mounted PO#23754-1.iso file.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. Mounted PO#23754-1.iso file.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As can be seen in Figure 4, a file with an identical name is presented. However, instead of being the expected PDF, this time the file is an executable. Because Windows does not display extensions by default, it is not immediately evident that this file is an executable, making it difficult to distinguish from the expected document with the same name (aside from the \u201cType\u201d column indicating an Application).<\/p>\n<p>This file is the NSIS executable that will deploy GuLoader.<\/p>\n<h2>PO#23754-1.exe<i>\u00a0<\/i>File Attributes<\/h2>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-saudi-purchase-order-drops-guloader\/_jcr_content\/root\/responsivegrid\/image_753372623.img.png\/1652998590175\/img5.png\" alt=\"Figure 5. Exif data of the NSIS executable.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. Exif data of the NSIS executable.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>PO#23754-1.exe presents itself as a 32-bit Windows executable. As can be seen in Figure 5, several false items have been entered into the comment and description fields along with copyright and product name.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-saudi-purchase-order-drops-guloader\/_jcr_content\/root\/responsivegrid\/image_1892076516.img.png\/1652998663041\/img6.png\" alt=\"Figure 6. Digital signature information for PO#23754-1.exe.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. Digital signature information for PO#23754-1.exe.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>An effort to provide a digital certificate has also been made. Figure 6, however, shows that the included information is obviously false, in addition to having been signed via an untrusted root.<\/p>\n<h2>PO#23754-1.exe Static Analysis<\/h2>\n<p>Originally developed as an installer to distribute the Winamp music player, the Nullsoft Scriptable Install System (NSIS) has been around since 2000. It is effectively a container (like a Zip file) that uses a script to deploy files to desired locations on a system.<\/p>\n<p>A tool such as 7Zip can extract most of the files held within the container.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-saudi-purchase-order-drops-guloader\/_jcr_content\/root\/responsivegrid\/image_150117993.img.png\/1652998700128\/img7.png\" alt=\"Figure 7. Executing 7Zip on PO#23754-1.exe.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. Executing 7Zip on PO#23754-1.exe.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>For this executable, 7Zip deposits 13 files and 1 directory (which contains one file as well) into the extraction location of choice. Quite interestingly, all the files (except for rudesbies.Par and System.dll, which are stored inside $PLUGINSDIR) are chaff for investigators \u2013 decoys that attempt to waste time for anyone attempting to trace what the file does. Each of these other files, some of which are legitimate, is harmless. (An examination of rudesbies.Par will take place a little later in the blog.)<\/p>\n<p>Unfortunately, a standard install of 7Zip is unable to expose the key component needed for further investigation of PO#23754-1.exe \u2013 the NSIS script. Another tool is required for this. 7z-build-nsis (<a href=\"https:\/\/github.com\/myfreeer\/7z-build-nsis\" target=\"_blank\">https:\/\/github.com\/myfreeer\/7z-build-nsis<\/a>) is one such tool. And as the name implies, it is a modified build of 7Zip designed to extract an NSI script.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-saudi-purchase-order-drops-guloader\/_jcr_content\/root\/responsivegrid\/image_1644260895.img.png\/1652998753804\/img8.png\" alt=\"Figure 8. The now extracted NSIS script.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. The now extracted NSIS script.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The NSIS structure and syntax are entirely open source and <a href=\"https:\/\/nsis.sourceforge.io\/Main_Page\" target=\"_blank\">available to review<\/a>. In this case, the NSIS script provides a fair bit of information to anyone examining it.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-saudi-purchase-order-drops-guloader\/_jcr_content\/root\/responsivegrid\/image_337265003.img.png\/1652998788883\/img9.png\" alt=\"Figure 9. Head of the NSIS script file.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. Head of the NSIS script file.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 9 shows the head of the NSIS script with accompanying string declarations.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-saudi-purchase-order-drops-guloader\/_jcr_content\/root\/responsivegrid\/image_186452877.img.png\/1652998819252\/fig-190.png\" alt=\"Figure 10. Install directory highlighted as $TEMP and registry key to be created during the execution of the script.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10. Install directory highlighted as $TEMP and registry key to be created during the execution of the script.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As can be seen from Figure 10, the script will use $TEMP as an install directory and creates the registry key \u201cHKCU SoftwarestemningsfulderesDISINTENSIFI \u201cExpand String Value\u201d %WINDIR%PARALLELIZING.log\u201d<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-saudi-purchase-order-drops-guloader\/_jcr_content\/root\/responsivegrid\/image_1829429696.img.png\/1652998873388\/fig11.png\" alt=\"Figure 11. Multiple obfuscated Windows system calls.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11. Multiple obfuscated Windows system calls.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The script makes several Windows system calls. Some of these have a basic level of obfuscation (for example, starting at line 260 in Figure 11 above). The file rudesbies.Par (mentioned above) is also featured. The calls used are as follows: <\/p>\n<ul>\n<li>KERNel32::CreateFileW(t $&quot;$INSTDIRrudesbies.Par$&quot;, i $0, i 0, p 0, i 4, i $1, i 0)i.R1<\/li>\n<li>KERNel32::GetFileSize(i R1, *i 0)i.r7<\/li>\n<li>KERNel32::VirtualAllocEx(i -1,i 0,i 0x100000, i 0x3000, i 64)p.R3<\/li>\n<li>KERNel32::ReadFile(i R1, i R3, i r7,*i 0, i 0)<\/li>\n<li>KERNel32::CloseHandle(i R1)<\/li>\n<li>user32::EnumWindows(i R3 ,i 0)<\/li>\n<\/ul>\n<p>Effectively, the script wishes to read \u201crudesbies.Par\u201d into a memory buffer and then checks to see if a window exists for it. The calls are made to \u201cSystem.dll\u201d, which contains the requisite Windows library functions. It is stored in the \u201c$PLUGINSDIR\u201d, shown in Figures 7 and 8, and will be deposited into a temporary directory upon execution.<\/p>\n<p>Since \u201crudesbies.Par\u201d is involved in the system calls within the NSIS script, a logical step at this stage in the investigation would be to examine it for further information. Unfortunately, the file is heavily encoded and therefore obfuscated from reading without further processing. This will be addressed in Part 2 of this series.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-saudi-purchase-order-drops-guloader\/_jcr_content\/root\/responsivegrid\/image_407639316.img.png\/1652998960333\/fig12.png\" alt=\"Figure 12. rudesbies.Par as it exists natively without processing.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12. rudesbies.Par as it exists natively without processing.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Conclusion<\/h2>\n<p>This blog covered an examination of a phishing e-mail and a static analysis of the attached executable containing GuLoader. While not unheard of, the less common use of the Nullsoft Scriptable Install System made the sample more interesting than usual to examine.<\/p>\n<p>Part two of this blog will cover the dynamic analysis of the executable and subsequent shellcode injection via the data stored in the \u201crudesbies.Par\u201d.<\/p>\n<p>Please stay tuned!<\/p>\n<h2>Fortinet Protections<\/h2>\n<p>The GuLoader sample mentioned in this blog is detected by the following (AV) signature:<\/p>\n<p>NSIS\/Injector.AOW!tr<\/p>\n<p>The URL zoneofzenith.com is categorized as a Spam URL by our Web Filtering Client.<\/p>\n<p>Fortinet customers are protected from this malware through FortiGuard\u2019s <a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/web-filtering.html?utm_source=blog&amp;utm_campaign=web-filtering\">Web Filtering<\/a>, <a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions\/antivirus\">Antivirus<\/a>, and <a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions\/content-disarm-reconstruction\">CDR<\/a> (content disarm and reconstruction) services and <a href=\"https:\/\/www.fortinet.com\/products\/email-security\/fortimail.html?utm_source=blog&amp;utm_campaign=fortimail-main-page\">FortiMail<\/a>, <a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/forticlient.html?utm_source=blog&amp;utm_campaign=endpoint-web-page\">FortiClient<\/a>, and <a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/fortiedr.html?utm_source=blog&amp;utm_campaign=fortiedr\">FortiEDR<\/a> solutions. All network-based URI\u2019s are blocked by the Web Filtering client.<\/p>\n<p>Due to the ease of disruption, damage to daily operations, potential impact to the reputation of an organization, and the unwanted destruction or release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date.<\/p>\n<p>Fortinet also has multiple solutions designed to help train users to understand and detect phishing threats:<\/p>\n<p>The\u00a0<a href=\"https:\/\/www.fortinet.com\/products\/phishing-simulation\">FortiPhish Phishing Simulation Service\u00a0<\/a>uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.<\/p>\n<p>In addition to these protections, we suggest that organizations also have their end users go through our free\u00a0<a href=\"https:\/\/training.fortinet.com\/?utm_source=blog&amp;utm_campaign=nse-institute\">NSE training<\/a>:\u00a0<a href=\"https:\/\/training.fortinet.com\/local\/staticpage\/view.php?page=nse_1&amp;utm_source=blog&amp;utm_campaign=nse-1\">NSE 1 \u2013 Information Security Awareness<\/a>. It includes a module on Internet threats that is designed to help end users learn how to identify and protect themselves from various types of phishing attacks.<\/p>\n<h2>IOCs<\/h2>\n<h2>Network IOCs<\/h2>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\" width=\"375\">\n<tbody>\n<tr>\n<td width=\"375\" valign=\"bottom\">\n<p>bounceclick.live\/VVB\/COrg_RYGGqN229.binb<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><i>Thanks to Fred Gutierrez who helped contribute to this blog.\u00a0<\/i><\/p>\n<p><i>Learn more about Fortinet\u2019s <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\">FortiGuard Labs<\/a> threat research and intelligence organization and the FortiGuard Security Subscriptions and Services <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\">portfolio<\/a>.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-b2dxtopzidsdt3fkzfsv-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/spoofed-saudi-purchase-order-drops-guloader\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/spoofed-saudi-purchase-order-drops-guloader\/_jcr_content\/root\/responsivegrid\/image.img.png\/1652996604956\/img1.png\"\/><br \/>FortiGuard Labs recently discovered a social engineering email lure with a message delivered to a company in Ukraine. In part I of our blog, we will analyze the phishing email and provide an analysis of the embedded malware which contains an executable for GuLoader.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-19126","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19126","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19126"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19126\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}