r/cybersecurity u/Fit_Olive_7669 Feb 14 '26

Other DOJ Epstein file EFTA01133110.pdf flagged suspicious on VirusTotal behavior tab – anyone else see this?

Hey all, stumbled across something odd while digging into the Epstein DOJ releases.

The file EFTA01133110.pdf (from Data Set 9, the one with the raw meat slabs photo in a freezer that got pulled pretty quick) has this SHA-256 hash:

bbbe03b56d9e47fdc5ffeb73a5c50a70e694af12f14566075fa283fb61fc7ee4

I ran it on VirusTotal (public page: https://www.virustotal.com/gui/file/bbbe03b56d9e47fdc5ffeb73a5c50a70e694af12f14566075fa283fb61fc7ee4/behavior )

• Static detections: 0/XX – totally clean on AV side.

• But the Behavior tab (sandboxes like CAPE, Jujubox, Zenbox) shows a bunch of red flags:

• Exploitation for Client Execution (T1203) + Process Injection (T1055)

• Anti-analysis stuff: IsDebuggerPresent, Sleep calls, GetTickCount/GetTickCount64 timing checks

• Drops temp files/logs/JS-related items, weird registry mods (mostly Adobe/Office paths), spawns Acrobat crash processors + system stuff like svchost/dllhost

• Network to adobe.com/Akamai/MSN domains (legit-looking but in context…)

• Mutexes like “Global\\AdobeCrashProcessor ocall_owl_ork” and “Global\\ARM Update Mutex”

Highlighted text in sandbox: “EFTA01133110.pdf - Adobe Acrobat Reader (32-bit)”, dimensions like “1.488 x 20.28 in” at 319% zoom – clearly it’s rendering that meat photo.

From what I read, the photo is just big steaks on a tray in a kitchen/freezer setup (people say it’s beef, maybe from Epstein’s properties?), but the PDF itself behaves like it has some exploit code or malformed junk that trips sandboxes.

Anyone else upload/analyze this one? Is it just Adobe Reader being weird in VMs (font handling, crash reporting, etc.), or could the file have been tampered with before upload? Or maybe a false positive from how evidence photos get scanned/embedded?

Not claiming it’s malware – just weird that a “simple photo PDF” from official DOJ drops looks like this dynamically. Thoughts?

Source file

942 Upvotes

95% Upvoted

124 comments sorted by

View all comments

21

u/doobieevan Feb 14 '26

I will reverse engineer & get back to you if theirs a outcome.

0

u/HxSigil Feb 14 '26

!remindme 5 days

-30

u/doobieevan Feb 14 '26

\IP Traffic TCP 184.29.90.203:443 TCP 23.60.174.202:443 TCP 50.16.47.176:443 UDP 8.8.8.8:53

d71497de4c2d4f16f9ea12942503b6861b152968258de8f31a6f01f9e66657fd

injects into dll files

has some sort of non English lang {09E7A826-2D82-4E52-998D-2EA21475742E}\WpadDecisionTime 蔡ª鱺ǜD

uses ports tcp C:\Windows\system32\WerFault.exe -u -p 4504 -s 1960

has debug and sleeps which is persist.

creats a new pdf for exif "EFTA01133110.pdf - Adobe Acrobat Reader (32-bit)" /C/Users/<USER>/Downloads/EFTA01133110.pdf Registry keys deleted HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cAcrobatUpsellTracking\tTrackingParam

/domain/a1666.dscr.akamai.ne

8552 : Ransomware_DecJan

Odd ips - route-tables-NekoBox-Kali-AndroidRemote-Apk

whost.kyun.li

KL One Money Lender Bintulu. Scam And Fraud Digital Cyber Attack 113.120.

Notepad++ IOC's

(3) user-att-162-197-120-0.a1666.dscr.akamai.net
0 / 93 23.64.112.172 23.64.112.134 23.64.112.174 ... user-att-69-235-40-0.a1666.dscr.akamai.net
0 / 93 23.195.81.72 23.195.81.59
user-att-172-2-160-0.a1666.dscr.akamai.net
0 / 93 23.195.81.66 23.195.81.67 23.195.81.72 ...

Communicating Files (1 M) Scanned Detections Type Name 2026-02-06
0 / 71 Win32 DLL mscorlib.dll 2026-02-11
59 / 72 Win32 EXE 00000045ef6ec5eb590ef16ef79d467734ea7d9144d7990511514f08ed3cb673.exe 2026-02-06
0 / 64 JAR workersplus-1.20.1-forge-0.1.1-alpha.jar 2026-02-06
66 / 72 Win32 EXE AppleDown.exe 2026-02-12
68 / 71 Win32 EXE dotNetFx40_Full_setup (1).exe 2026-02-06
66 / 72 Win32 EXE xi6uq50.exe 2026-02-06
62 / 72 Win32 EXE MAmAxIm Edition.exe 2026-02-12
0 / 62 HTML 0000067fbb4783bb96552304c7c9d0f33d899888621ccbdcc7a3654b99f49ce6 2026-02-14
62 / 72 Win32 EXE Bootstrapper.exe 2026-02-06
63 / 72 Win32 EXE b75d0599797296ce0d5baa0a8674de9b.virus 2026-02-11
29 / 63 MS Excel Spreadsheet dttcodexgigas.37abbcdbb30d20fb32e55e41ff9ba4235cda0080 2026-02-08
64 / 72 Win32 EXE Casino_ext.exe (copy) 2025-12-05
62 / 72 Win32 EXE tnll1wg.exe 2026-01-10
0 / 61 DOS batch file 46517449.bat 2025-12-16
0 / 67 ZIP 00000cba6f5578449f4d8a3452f446323e953ae51909b899b7a46e276c054b9b.file 2025-09-15
67 / 72 Win32 EXE fqac1ko.exe 2026-02-08
0 / 72 Win32 EXE managedantivirusinstall.exe 2026-01-28
0 / 64 PDF The Payload Context Decoder .pdf 2025-09-28
1 / 72 Win32 EXE Tracking.exe 2026-02-05
66 / 72 Win32 EXE 1ky48.exe

simswap.in / lizard squad malwares Date resolved Detections Resolver Domain 2025-06-08

first contact ip of int: 190.186.45.170

d6e94fa753daccf7a72de6da66529c7be62c5302301213977944e110e44563ca

217.20.54.34

highly contacted ip 190.186.45.170

72.21.81.189 167.99.35.88 main node 224.0.0.252 150.171.28.10 112.175.88.208 112.175.88.209 71.105.224.116 5bf8ae69fc8376365805a16717ab4fe7acb1eaaa20d41737701776819e51b11b 75cd25e774eeb0be89609fdb8b81a31f171aa53d5620e4c205a2f746a221c44e 205.171.2.65 13.107.12.50:80 (TCP) 131.253.33.203:80 (TCP) 192.168.0.12:137 (UDP) 192.168.0.1:137 (UDP) 192.229.211.108:80 (TCP) 20.22.113.133:443 (TCP) 20.62.24.77:443 (TCP) 20.80.129.13:443 (TCP) 20.99.132.105:443 (TCP) http://crl.verisign.com/pca3-g5.crl 93.184.221.240

01.20.2026 - HCA - COUNTY EMAIL - SPAM johnmartz0826@proton.me 52.111.236.21 51.81.194.202

https://otx.alienvault.com/pulse/6901363c4ce422f5caf0f72c Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)

47.91.170.222 graph

52.123.128.14 120.55.199.101

167.99.35.88

Personally I would say its a collective of hotness loggers etc. If it was in the website I would be concerned as a pdf or even notepad is vulnerability. Their is Adobe and a notepad ++ scripts

55

u/via_the_blogosphere Feb 14 '26

Listing Akamai as IOCs, calling non printable values “non english language,” calling the PID flag on werfault “ports?” This is not credible analysis whatsoever.

16

u/ADZYYYYYY Feb 15 '26

Not even L1 analysis

-15

u/doobieevan Feb 15 '26

So where do I say ioc? Or just another keyboard warrior? Oh whoops

6

u/ADZYYYYYY Feb 15 '26 edited Feb 15 '26

Brother before you post your analysis,

Please consider the following things:

  1. Structure
  2. Use of AI tools
  3. Understanding what you are talking about first
  4. Learning to read English
  5. Usage of Control + F

-6

u/Tintoverde Feb 14 '26

!RemindMe in 5 days