PDF stands for Portable Document Format.[^5] You can embed code in a PDF to allow for remote code execution. This can allow you to take control of an endpoint by sending a Resume/CV and then being able to jump around inside the network. The first line of a PDF file is %PDF- followed by a version number. The last line of a PDF file contains %%EOF. PDF Files can execute code and if the reader contains a vulnerability, it may allow malicious code execution.[^1] Most Web browsers contain a built-in PDF reading engine.[^1] Javascript is a powerful way to customize PDF files.[^1] PDF files consist of numbered objects.[^1] Malicious PDF files can include javascript callbacks that reveal the IP address, operating system, and browser version to a remote server.[^1] If the malicious callback address is set up as a SMB share, then the PDF jumping to that location will leak the NTLM for the user.[^1] PDF streams can contain an XML-stylesheet that can be misused for malicious purposes.[^1] Malicious PDF files can contain an enbeddable link in a /URI tag.[^2] .DLL or .EXE payloads can also be embedded in a PDF document. PDF files may contain hyperlinks, videos, photos, and other information besides just text.[^3] Dictionaries are the main building block of a PDF document
<< Dictionary Contents go Here >>PDF documents can be weaponized through SMS and MMS messages to target mobile devices.[^4] malicious URLs and other content can be obfuscated to evade traditional analysis.[^4] The PDF format is standardized as ISO 32000.[^5] PDF files can include interactive features such as scripts, attachments, and multimedia.[^5] Malicious PDFs are some of the most successful and popular attack vectors.[^5] PDF files can be used to digitize documents. PDF files can merge content from diverse sources into one self-contained document. PDF files can use digital signatures to certify authenticity. A set of specific minimum features that a PDF reader should support is not specified, therefore some vendor software may not support all of the functionality in the specification. PDF 2.0 uses AES encryption. PDF files use Unicode-based passwords. Newer PDF specifications must be backward compatible with existing PDF files.
[[Operation Dream Job]] – used malicious PDF files
[[Grandoreiro Banking Trojan]] – delivered malicious PDF files from cloud storage sites
[[4Chan]] – was hacked with an upload of a malicious PDF file
[[RATTY]] – RAT delivered through remote access trojans
[[Graphite Spyware]] – uses a PDF as an initial attack vector
[[Star Blizzard (SEABORGIUM)]] – uses PDF files hosted in Google Drive, OneDrive, or ProtonDrive
[[NoodlaFile Stealer]] – uses malicious PDF files
[[AcroForms]] – Scripting technology used in PDF
[[XFA Forms]] – scripting technology used in PDF
[[PDF Object]]
[[PDF Dictionary]]
[[PDF Structure]]
[[Flate Decode]] – algorithm used for compression in PDF files
[[WikiLoader]] – Malware that spreads through PDF files
[[Ursnif]] – malware that spreads through PDF files
[[DarkGate]] – malware that spreads through PDF files
[[PDF Tutorial]]
[[Hydraq Malware]] – first version was delivered using a spear-phishing email with a malicious PDF
[[2019 ANU Data Breach]] – converted databases to PDF files for extraction
[[LNK file]] – may be disguised as malicious PDF files
[[PDFSpider]] – impersonates a well-known PDF creator
Backlinks
[[AES]]
[[Browser Vulnerabilities]]
[[Cell Phone OPSEC]]
[[Digital Signatures]]
[[DLL Sideloading]]
[[Elliptic Curve Cryptography]]
IP Addresses
[[JavaScript]]
[[Linked List]]
[[NTLM]]
[[Phishing]]
[[SMB]]
[[SMS]]
[[unicode]]
[[XML]]
Sources
[1] P. Stokes, “Malicious PDFs | Revealing the Techniques Behind the Attacks,” SentinelOne. [Online]. Available: https://www.sentinelone.com/blog/malicious-pdfs-revealing-techniques-behind-attacks/
[2] Z. Doffman, “New iPhone, Android Warning—Do Not Open Any Of These PDFs,” Forbes. [Online]. Available: https://www.forbes.com/sites/zakdoffman/2025/01/30/new-iphone-android-warning-do-not-open-any-of-these-pdfs/
[3] “Static malware analysis of PDF files.” [Online]. Available: https://websec.net/blog/static-malware-analysis-of-pdf-files-6381044f46737a7c2f9ddd17
[4] P. Morales, “PDF Phishing: The Hidden Mobile Threat.” [Online]. Available: https://zimperium.com/blog/pdf-phishing-the-hidden-mobile-threat
[5] V. K, “Cybersecurity Vulnerabilities in PDF Files: Exploitation Techniques and Defenses.” [Online]. Available: https://www.linkedin.com/pulse/cybersecurity-vulnerabilities-pdf-files-exploitation-defenses-victor-bcbee