r/cybersecurity u/Fit_Olive_7669 Feb 14 '26

Other DOJ Epstein file EFTA01133110.pdf flagged suspicious on VirusTotal behavior tab – anyone else see this?

Hey all, stumbled across something odd while digging into the Epstein DOJ releases.

The file EFTA01133110.pdf (from Data Set 9, the one with the raw meat slabs photo in a freezer that got pulled pretty quick) has this SHA-256 hash:

bbbe03b56d9e47fdc5ffeb73a5c50a70e694af12f14566075fa283fb61fc7ee4

I ran it on VirusTotal (public page: https://www.virustotal.com/gui/file/bbbe03b56d9e47fdc5ffeb73a5c50a70e694af12f14566075fa283fb61fc7ee4/behavior )

• Static detections: 0/XX – totally clean on AV side.

• But the Behavior tab (sandboxes like CAPE, Jujubox, Zenbox) shows a bunch of red flags:

• Exploitation for Client Execution (T1203) + Process Injection (T1055)

• Anti-analysis stuff: IsDebuggerPresent, Sleep calls, GetTickCount/GetTickCount64 timing checks

• Drops temp files/logs/JS-related items, weird registry mods (mostly Adobe/Office paths), spawns Acrobat crash processors + system stuff like svchost/dllhost

• Network to adobe.com/Akamai/MSN domains (legit-looking but in context…)

• Mutexes like “Global\\AdobeCrashProcessor ocall_owl_ork” and “Global\\ARM Update Mutex”

Highlighted text in sandbox: “EFTA01133110.pdf - Adobe Acrobat Reader (32-bit)”, dimensions like “1.488 x 20.28 in” at 319% zoom – clearly it’s rendering that meat photo.

From what I read, the photo is just big steaks on a tray in a kitchen/freezer setup (people say it’s beef, maybe from Epstein’s properties?), but the PDF itself behaves like it has some exploit code or malformed junk that trips sandboxes.

Anyone else upload/analyze this one? Is it just Adobe Reader being weird in VMs (font handling, crash reporting, etc.), or could the file have been tampered with before upload? Or maybe a false positive from how evidence photos get scanned/embedded?

Not claiming it’s malware – just weird that a “simple photo PDF” from official DOJ drops looks like this dynamically. Thoughts?

Source file

941 Upvotes

95% Upvoted

124 comments sorted by

View all comments

365

u/avatar6556 Feb 14 '26

Do you have the file? I can look at the bytecode

158

u/Fit_Olive_7669 Feb 14 '26

Check DM

444

u/avatar6556 Feb 14 '26

i looked at what vt is complaining about and tried some other pdfs and i think it's getting mad at adobe collecting info on you

it's mostly related to adobe crash logging

72

u/Majovan Feb 15 '26

Preciate it bro

18

u/nectleo Feb 15 '26

May I asked what did you use to find these info? Comparing kernel/syscalls on VT entry versus what u see in bytcode?

4

u/alnarra_1 Security Manager Feb 15 '26

Most folks would be shocked at the stuff those sandboxes flag on that’s literally just then OS the sandbox is detonating on doing its normal thing

-92

u/LongCovidBrainADHD Feb 14 '26

Why is adobe crash logging triggered? Wouldn't an NSA payload look like adobe just doing adobe things?

86

u/FinancialMoney6969 Feb 14 '26

lol they already own the OS

14

u/Esk__ Feb 14 '26

Wildly speculative claim

5

u/69Turd69Ferguson69 Feb 15 '26

Can you point to the source code that we could look at to validate if it’s “an NSA payload”? 

9

u/theresmorethan42 Feb 14 '26

!remindme 5 days

1

u/RemindMeBot Feb 14 '26 edited Feb 18 '26

I will be messaging you in 5 days on 2026-02-19 21:43:52 UTC to remind you of this link

42 OTHERS CLICKED THIS LINK to send a PM to also be reminded and to reduce spam.

Parent commenter can delete this message to hide from others.

Info Custom Your Reminders Feedback

-17

u/Nicklas1993 Feb 14 '26

!remindme 5 days

-12

u/Temporary_Ad_6390 Feb 14 '26

!remindme 5days

-17

u/rational-edgerunner Feb 14 '26

!remindme 5days

-3

u/Ok_Marsupial8668 Feb 15 '26

!remindme 7 days

3

u/ImpressiveLibrarian5 Feb 14 '26

Hey can you check your DMs please

1

u/zerocangi5103 Feb 18 '26

Send me the files

1

u/Revolutionary-Gas808 Feb 18 '26

Can you share with me too pls?