PDF files can be weaponized by malicious actors to steal Windows credentials (NTLM hashes) without any user interaction, and only by opening a file, according to
Assaf Baharav, a security researcher with cyber-security Check Point.
Baharav published
research this week showing how a malicious actor could take advantage of features natively found in the PDF standard to steal NTLM hashes, the format in which Windows stores user credentials.
"The PDF specification allows loading remote content for the GoToE & GoToR entries," Baharav told Bleeping Computer today.
Stealing Windows credentials via PDF and SMB
For his research, Baharav created a PDF document that would utilize these two PDF functions. When someone would open this file, the PDF document would automatically make a request to a remote malicious SMB server.
... ... ...