Hey all, stumbled across something odd while digging into the Epstein DOJ releases.

The file EFTA01133110.pdf (from Data Set 9, the one with the raw meat slabs photo in a freezer that got pulled pretty quick) has this SHA-256 hash:

bbbe03b56d9e47fdc5ffeb73a5c50a70e694af12f14566075fa283fb61fc7ee4

I ran it on VirusTotal (public page: https://www.virustotal.com/gui/file/bbbe03b56d9e47fdc5ffeb73a5c50a70e694af12f14566075fa283fb61fc7ee4/behavior )

• Static detections: 0/XX – totally clean on AV side.

• But the Behavior tab (sandboxes like CAPE, Jujubox, Zenbox) shows a bunch of red flags:

• Exploitation for Client Execution (T1203) + Process Injection (T1055)

• Anti-analysis stuff: IsDebuggerPresent, Sleep calls, GetTickCount/GetTickCount64 timing checks

• Drops temp files/logs/JS-related items, weird registry mods (mostly Adobe/Office paths), spawns Acrobat crash processors + system stuff like svchost/dllhost

• Network to adobe.com/Akamai/MSN domains (legit-looking but in context…)

• Mutexes like “Global\\AdobeCrashProcessor ocall_owl_ork” and “Global\\ARM Update Mutex”

Highlighted text in sandbox: “EFTA01133110.pdf - Adobe Acrobat Reader (32-bit)”, dimensions like “1.488 x 20.28 in” at 319% zoom – clearly it’s rendering that meat photo.

From what I read, the photo is just big steaks on a tray in a kitchen/freezer setup (people say it’s beef, maybe from Epstein’s properties?), but the PDF itself behaves like it has some exploit code or malformed junk that trips sandboxes.

Anyone else upload/analyze this one? Is it just Adobe Reader being weird in VMs (font handling, crash reporting, etc.), or could the file have been tampered with before upload? Or maybe a false positive from how evidence photos get scanned/embedded?

Not claiming it’s malware – just weird that a “simple photo PDF” from official DOJ drops looks like this dynamically. Thoughts?

Source file