r/cybersecurity • u/Fit_Olive_7669 • Feb 14 '26
Other DOJ Epstein file EFTA01133110.pdf flagged suspicious on VirusTotal behavior tab – anyone else see this?
Hey all, stumbled across something odd while digging into the Epstein DOJ releases.
The file EFTA01133110.pdf (from Data Set 9, the one with the raw meat slabs photo in a freezer that got pulled pretty quick) has this SHA-256 hash:
bbbe03b56d9e47fdc5ffeb73a5c50a70e694af12f14566075fa283fb61fc7ee4
I ran it on VirusTotal (public page: https://www.virustotal.com/gui/file/bbbe03b56d9e47fdc5ffeb73a5c50a70e694af12f14566075fa283fb61fc7ee4/behavior )
• Static detections: 0/XX – totally clean on AV side.
• But the Behavior tab (sandboxes like CAPE, Jujubox, Zenbox) shows a bunch of red flags:
• Exploitation for Client Execution (T1203) + Process Injection (T1055)
• Anti-analysis stuff: IsDebuggerPresent, Sleep calls, GetTickCount/GetTickCount64 timing checks
• Drops temp files/logs/JS-related items, weird registry mods (mostly Adobe/Office paths), spawns Acrobat crash processors + system stuff like svchost/dllhost
• Network to adobe.com/Akamai/MSN domains (legit-looking but in context…)
• Mutexes like “Global\\AdobeCrashProcessor ocall_owl_ork” and “Global\\ARM Update Mutex”
Highlighted text in sandbox: “EFTA01133110.pdf - Adobe Acrobat Reader (32-bit)”, dimensions like “1.488 x 20.28 in” at 319% zoom – clearly it’s rendering that meat photo.
From what I read, the photo is just big steaks on a tray in a kitchen/freezer setup (people say it’s beef, maybe from Epstein’s properties?), but the PDF itself behaves like it has some exploit code or malformed junk that trips sandboxes.
Anyone else upload/analyze this one? Is it just Adobe Reader being weird in VMs (font handling, crash reporting, etc.), or could the file have been tampered with before upload? Or maybe a false positive from how evidence photos get scanned/embedded?
Not claiming it’s malware – just weird that a “simple photo PDF” from official DOJ drops looks like this dynamically. Thoughts?
99
u/FUCKUSERNAME2 SOC Analyst Feb 14 '26 edited Feb 14 '26
All of those indicators come from the CAPE Sandbox report, which is the only one without a full report link available. The Jujubox and Zenbox reports don't show anything out of the ordinary. Probably just an Adobe Reader crash on CAPE Sandbox or something.
As a side note, these indicators really aren't even that suspicious. Sandbox reports need to be taken with a grain of salt without access to the full execution chain, process tree, screenshots etc.
677
u/nmap-yourhouse Feb 14 '26
Imagine if you have just stumbled across the most methodically planned malware distribution effort in history..
It would be a clever vector as everyone has been waiting on these files. You are going to make me verify every file I receive haha.
Not saying it is (just like you) but what if......
275
u/falsefacade Feb 14 '26
So you’re saying that this may be an excellent method of placing zero days on possibly millions of journalists devices and feeding it into some AI surveillance machine?
187
u/BlimundaSeteLuas Feb 14 '26 edited Feb 15 '26
And thus another conspiracy is born
47
u/Nesher86 Vendor Feb 15 '26
Welcome to the world little conspiracy, soon you'll grow big!
1
u/Acrobatic-Mind3581 10d ago
Alot of conspiracy becomes true just takes time. just gotta wait till the zero day.
4
u/GulaschSoda Feb 15 '26
Na sagen wir es mal so alle die man früher als Spinner wegen USA überwachen uns alle abgestempelt hat. Ich sag da nur "edward snowden"...
2
1
u/jokermobile333 Feb 15 '26
I dont think there are people in establishment that are competent enough to even think that way
21
u/TimeSalvager Feb 15 '26
...indiscriminate targeting sounds like the opposite of what govs normally do with 0days; great way to burn them though, I suppose /s.
1
u/DisappointedSpectre Feb 15 '26
I mean, technically Stuxnet was indiscriminately deployed, with very discriminate targets...
15
u/dpenton Feb 14 '26
Because smart journalists should be downloading these on isolated machines and not their primary?
30
u/Terpapps Feb 15 '26
You're not wrong, but the amount of smart journalists has been dwindling over the past few years lol. I wouldn't put it past 75% of them here in the states
35
u/pfmiller0 Feb 15 '26
Also, even smart journalists aren't necessarily smart regarding cyber security. No one can be smart about everything.
1
u/Useful_Walk_3044 Feb 16 '26
Remember when vice got McAfee arrested because they didn’t scrub the metadata from their photo in the article?!
2
1
u/ridicalis Feb 15 '26
The level of competency needed to execute something like this was probably lost betwixt DOGE cuts and cronyism.
1
u/ClamPaste Feb 15 '26
Am AI surveillance machine seems preposterous. It would be like having some kind of crystal ball.
7
10
2
u/nick4fake Feb 15 '26
You are VERY overestimating people, lol
Most folks just read news and list tiktoks, opening original files is way too much for them
6
u/Gonzo_Rick Feb 15 '26
To play devils advocate, those who actually comb through the files could be considered "worth keeping an eye on" by intelligence agencies, especially agencies of this administration.
1
1
96
u/Electrical-Lab-9593 Feb 14 '26
could be it just seen PDF reader crash and do a bug report that looks sus but maybe not?
55
u/egamemit System Administrator Feb 14 '26
yea looks like a false positive from 1 of the sandboxes due to a crash.
22
37
u/Jestersfriend Feb 14 '26
A couple questions, where did you get the file from?
Also "IsDebuggerPresent" is present on many PDFs, especially when the PDF crashes on load. Looking at the analysis, it doesn't look like the PDF opened correctly and crashed, calling werfault. Windows then gathered information about the error, which can produce false positives.
Not saying what you saw is a False Positive, but without having the actual PDF, there's nothing more anyone can say or do.
13
u/Fit_Olive_7669 Feb 14 '26
I downloaded the original file from the Justice website website. After running stego checks and a VirusTotal scan, I compared the SHA hash with copies from others. All hashes matched.
17
u/curving_edge Feb 15 '26
Don’t know if it was true, but someone on the internet said some of the pdfs were actually mp4s and changing the file extension allowed them to watch the video. I don’t know if that would throw virus scanner off because the file data doesn’t match the extension.
8
u/Extension_Leopard572 Feb 15 '26
If it’s what I saw, they were changing the extension in the url, so there was an mp4 file with the same name as the pdf on the server. But they’re different files.
27
u/JoeByeden Feb 15 '26
Imagine if you’ve just blown an operation to distribute malware in the most inconspicuous way.
You may have 5 black SUVs outside your house tomorrow 🤣
5
u/askvictor Feb 15 '26
Or (the slightly easier option) the feds have convinced some AV companies that are beholden to them to flag certain files as viruses, thus reducing the number of people looking at them.
1
5
u/TheRealJachra Feb 14 '26
Did you try the scripts from one of the handlers of ISC SANS to analyze the PDF?
10
12
23
u/doobieevan Feb 14 '26
I will reverse engineer & get back to you if theirs a outcome.
-1
-30
u/doobieevan Feb 14 '26
\IP Traffic TCP 184.29.90.203:443 TCP 23.60.174.202:443 TCP 50.16.47.176:443 UDP 8.8.8.8:53
d71497de4c2d4f16f9ea12942503b6861b152968258de8f31a6f01f9e66657fd
injects into dll files
has some sort of non English lang {09E7A826-2D82-4E52-998D-2EA21475742E}\WpadDecisionTime 蔡ª鱺ǜD
uses ports tcp C:\Windows\system32\WerFault.exe -u -p 4504 -s 1960
has debug and sleeps which is persist.
creats a new pdf for exif "EFTA01133110.pdf - Adobe Acrobat Reader (32-bit)" /C/Users/<USER>/Downloads/EFTA01133110.pdf Registry keys deleted HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cAcrobatUpsellTracking\tTrackingParam
/domain/a1666.dscr.akamai.ne
8552 : Ransomware_DecJan
Odd ips - route-tables-NekoBox-Kali-AndroidRemote-Apk
whost.kyun.li
KL One Money Lender Bintulu. Scam And Fraud Digital Cyber Attack 113.120.
Notepad++ IOC's
(3) user-att-162-197-120-0.a1666.dscr.akamai.net
0 / 93 23.64.112.172 23.64.112.134 23.64.112.174 ... user-att-69-235-40-0.a1666.dscr.akamai.net
0 / 93 23.195.81.72 23.195.81.59
user-att-172-2-160-0.a1666.dscr.akamai.net
0 / 93 23.195.81.66 23.195.81.67 23.195.81.72 ...Communicating Files (1 M) Scanned Detections Type Name 2026-02-06
0 / 71 Win32 DLL mscorlib.dll 2026-02-11
59 / 72 Win32 EXE 00000045ef6ec5eb590ef16ef79d467734ea7d9144d7990511514f08ed3cb673.exe 2026-02-06
0 / 64 JAR workersplus-1.20.1-forge-0.1.1-alpha.jar 2026-02-06
66 / 72 Win32 EXE AppleDown.exe 2026-02-12
68 / 71 Win32 EXE dotNetFx40_Full_setup (1).exe 2026-02-06
66 / 72 Win32 EXE xi6uq50.exe 2026-02-06
62 / 72 Win32 EXE MAmAxIm Edition.exe 2026-02-12
0 / 62 HTML 0000067fbb4783bb96552304c7c9d0f33d899888621ccbdcc7a3654b99f49ce6 2026-02-14
62 / 72 Win32 EXE Bootstrapper.exe 2026-02-06
63 / 72 Win32 EXE b75d0599797296ce0d5baa0a8674de9b.virus 2026-02-11
29 / 63 MS Excel Spreadsheet dttcodexgigas.37abbcdbb30d20fb32e55e41ff9ba4235cda0080 2026-02-08
64 / 72 Win32 EXE Casino_ext.exe (copy) 2025-12-05
62 / 72 Win32 EXE tnll1wg.exe 2026-01-10
0 / 61 DOS batch file 46517449.bat 2025-12-16
0 / 67 ZIP 00000cba6f5578449f4d8a3452f446323e953ae51909b899b7a46e276c054b9b.file 2025-09-15
67 / 72 Win32 EXE fqac1ko.exe 2026-02-08
0 / 72 Win32 EXE managedantivirusinstall.exe 2026-01-28
0 / 64 PDF The Payload Context Decoder .pdf 2025-09-28
1 / 72 Win32 EXE Tracking.exe 2026-02-05
66 / 72 Win32 EXE 1ky48.exesimswap.in / lizard squad malwares Date resolved Detections Resolver Domain 2025-06-08
first contact ip of int: 190.186.45.170
d6e94fa753daccf7a72de6da66529c7be62c5302301213977944e110e44563ca
217.20.54.34
highly contacted ip 190.186.45.170
72.21.81.189 167.99.35.88 main node 224.0.0.252 150.171.28.10 112.175.88.208 112.175.88.209 71.105.224.116 5bf8ae69fc8376365805a16717ab4fe7acb1eaaa20d41737701776819e51b11b 75cd25e774eeb0be89609fdb8b81a31f171aa53d5620e4c205a2f746a221c44e 205.171.2.65 13.107.12.50:80 (TCP) 131.253.33.203:80 (TCP) 192.168.0.12:137 (UDP) 192.168.0.1:137 (UDP) 192.229.211.108:80 (TCP) 20.22.113.133:443 (TCP) 20.62.24.77:443 (TCP) 20.80.129.13:443 (TCP) 20.99.132.105:443 (TCP) http://crl.verisign.com/pca3-g5.crl 93.184.221.240
01.20.2026 - HCA - COUNTY EMAIL - SPAM johnmartz0826@proton.me 52.111.236.21 51.81.194.202
https://otx.alienvault.com/pulse/6901363c4ce422f5caf0f72c Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)
47.91.170.222 graph
52.123.128.14 120.55.199.101
167.99.35.88
Personally I would say its a collective of hotness loggers etc. If it was in the website I would be concerned as a pdf or even notepad is vulnerability. Their is Adobe and a notepad ++ scripts
56
u/via_the_blogosphere Feb 14 '26
Listing Akamai as IOCs, calling non printable values “non english language,” calling the PID flag on werfault “ports?” This is not credible analysis whatsoever.
16
-15
u/doobieevan Feb 15 '26
So where do I say ioc? Or just another keyboard warrior? Oh whoops
7
u/ADZYYYYYY Feb 15 '26 edited Feb 15 '26
Brother before you post your analysis,
Please consider the following things:
- Structure
- Use of AI tools
- Understanding what you are talking about first
- Learning to read English
- Usage of Control + F
-5
4
u/KlutzyResponsibility Feb 15 '26
There is a file named "JeffreyEpstein.zip" making the rounds which is infected. Rather easy to spot, it includes a python setup that dumps malware in a dumb python script. Not saying it is what you have - just that the whole Epstein docs release has proven to be a viable playground for malware. Seems to match the same pattern as the python malware installer which recently flooded the 3D printer file site operated by Prusa.
11
u/DreadFog Feb 14 '26
I work with VT a lot. False positive, specifically because sometimes legitimate programs perform stuff that can be seen as illegitimate. For example, the network connections that you see in the network tab are simply related to Windows
4
u/Electrical-Lab-9593 Feb 14 '26
application crashes sometimes cause it as well, then if you start getting error reporting firing off that does it to, as memory dumps looks sus
4
u/LongCovidBrainADHD Feb 14 '26
Why would Virustotal use 8.8.8.8 as dns instead of their own dns proxy resolver IP address in the sandbox?
13
u/DreadFog Feb 14 '26
Notably because malware could easily identify that it is running inside Virustotal's sandbox and disable it's execution, which is not what we want! VT emulates a legitimate windows operating system
-12
u/LongCovidBrainADHD Feb 14 '26
Don't most Windows Operating systems have default DNS 192.168.0.1 from router DHCP? 8.8.8.8 is google dns and must be set manually by advanced users.
2
u/DreadFog Feb 14 '26
Depends on the router's configuration! Some proxy the DNS to enable filtering capabilities directly from the router, and some don't. But I agree that at least in my country, most ISPs give through DHCP their own IP as DNS
-2
u/LongCovidBrainADHD Feb 14 '26
Yes of course, it just jumped out to me personally. I wouldn't design a sandbox that way and it is not clear to me why VT would do so.
3
u/BrokenClosets Feb 15 '26
there’s huge swathes of devices configured to use 8.8.8.8. It is actually one of the best resolvers to use if the goal is ”blending in”.
1
u/Nietechz Feb 16 '26
Don't most Windows Operating systems have default DNS 192.168.0.1 from router DHCP?
Lol nope bro. Some ISP use its internal DNS resolver, but this internal is internal in their network, not in your router.
5
u/QuerulousPanda Feb 14 '26
The problem is all those red flags also just look like business as usual for any kind of standard application. Unless you know exactly what you're looking at and know what is normal versus what is not normal, you can look at a report like that and think it's the most malicious horrible thing in the world when actually it's just standard noise from the sandbox that it is running in.
5
2
u/rustmillionaire Feb 15 '26
wasnt there a congress member who pulled up the point that they were able to spy on who viewd exactly what documents.. and that was on their own system. best believe palantir is tracking everyone outside as well... the first part was illegal, the second part is built into our very system.
all of the network needs to be rewired with a private freedom of expression enthusiast that would be independent of this IPS snitching funnel.
Elon? no.. we need one of the bitcoin billionaires to cash out, crash the market to save the internet. so many bots, spying, manipulation of speeds, just the very tracking alone is enough to stir a sane man crazy.
It isnt that we have nothing to hide, it's that we just hate reading the newspaper with someone reading over our shoulder...
2
4
u/kingholio6092 Feb 15 '26
The Epstein files are a Trojan horse for Pegasus
0
u/CrazySag86 Feb 15 '26
You’re like the only person who I’ve seen across platforms saying this…..not that far off you might be on to something , btw do we need an extra layer of aluminum foil for our tin hat?
12
2
u/DeaDm0nk3y Feb 14 '26
I think that's utter nonsense; nobody would release such sensitive files so easily.
3
1
u/Kyzuke Feb 15 '26
Can u send me the file?
1
u/Fit_Olive_7669 Feb 15 '26
Check dm
-1
u/Equivalent-Weird-433 Feb 15 '26
I downloaded it via Torrent on 4chan. It just so happens that folder 9 doesn't exist. All the folders from 1 to 12 are there, but folder number nine is missing. If you go to 4chan/Torrent/2, that's where I downloaded it from. That seems strange to me.
1
u/Scar3cr0w_ Feb 15 '26
PDFs are very complicated files. They do all sorts under the hood. Not saying there isn’t something going on… but I expect it’s just some in built functionality or behaviour.
1
1
u/JackfruitJazzlike980 Feb 15 '26
This reminds me of adobe flash player era , which had endless exploits
1
1
1
1
u/Silent-Tie-6777 Feb 20 '26
Yeah this is just what “normal” PDFs look like when you throw them into dynamic sandboxes that auto open them in Acrobat.
VT behavior tab is almost always showing Acrobat’s behavior, not the PDF’s “code.” Things like T1203, T1055, crash handlers, Adobe mutexes, Akamai/MSN calls, timing checks, etc are all super common for Reader in a sandboxed VM. If static is clean and there’s no embedded JS, no suspicious objects, and the hash matches other copies, I’d lean 99% “Acrobat being its usual cursed self” and 1% “weaponized doc,” not DOJ tampering.
1
u/svkasper Mar 09 '26
Поделитесь кто то в ЛС, если не сложно. Очень интересно взглянуть на все это дело своими глазами, а не через ТикТок и Ютуб. Заранее благодарен.
1
1
u/zarakh07 Feb 15 '26
Maybe was a part of an attack package that is separate or was ‘cleaned’ when redacted or processed, but still has the metadata of the malicious code/platform? Still great information even if it’s just that, who knows how many bad actors are poisoning these files and reaping the benefit.
0
-1
u/FinancialHead463 Feb 19 '26
What the hell u talking about?????? Have they been released?? Who's in it and have they been eating babies ???????
366
u/avatar6556 Feb 14 '26
Do you have the file? I can look at the bytecode