Stealing NTLM hashes via PDF files

PDF files can be weaponized by malicious actors to steal Windows credentials (NTLM hashes) without any user interaction, and only by opening a file, according to Assaf Baharav, a security researcher with cyber-security Check Point.

Baharav published research this week showing how a malicious actor could take advantage of features natively found in the PDF standard to steal NTLM hashes, the format in which Windows stores user credentials.

“The PDF specification allows loading remote content for the GoToE & GoToR entries,” Baharav told Bleeping Computer today.

Stealing Windows credentials via PDF and SMB

For his research, Baharav created a PDF document that would utilize these two PDF functions. When someone would open this file, the PDF document would automatically make a request to a remote malicious SMB server.

By design, all SMB requests also include the NTLM hash for authentication purposes. This NTLM hash would be recorded in the remote SMB server’s log. Tools are available that can break this hash and recover the original password.

This type of attack is not new, at all, and in the past, has been executed by initiating SMB requests from inside Office documents, Outlook, browsers, Windows shortcut files, shared folders, and other Windows OS internal functions.

All PDF readers are most likely vulnerable

Now, Baharav has shown that PDF files are just as dangerous. The Check Point researcher told Bleeping Computer that he only field-tested the attack on Adobe Acrobat and FoxIT Reader.

“We chose to test these two high profile PDF readers,” Baharav told us. “Regarding the others, we highly suspect they…