New PDF Tool to Detect Malicious PDF Using PDF Object Hashing Technique

A new open-source tool called PDF Object Hashing is designed to detect malicious PDFs by analyzing their structural “fingerprints.”

Released by Proofpoint, the tool empowers security teams to create robust threat detection rules based on unique object characteristics in PDF files.

This innovation addresses the growing reliance of threat actors on PDFs for delivering malware, credential phishing, and business email compromise (BEC) attacks.

By focusing on document structure rather than volatile elements like URLs or images, the tool enables attribution to specific threat groups, even as attackers evolve their tactics. Proofpoint, a leading cybersecurity firm, developed this technique internally to track multiple threat actors.

PDFs remain a staple in email-based campaigns, often embedding URLs to malware downloads, QR codes directing users to phishing sites, or forged invoices mimicking brands like banks or services.

Proofpoint notes that these files can initiate chains leading to remote access trojans or data theft.

However, the PDF format’s complexity, allowing endless variations for compatibility, poses detection challenges, from encrypted streams hiding URIs to compressed objects obscuring payloads.

The core issue lies in PDF’s flexibility: six valid whitespace types, compressible cross-reference tables, and objects that can embed or reference parameters interchangeably.

Encryption further complicates matters, revealing only the document’s skeleton while concealing details like malicious links.

Traditional signatures falter against these evasions, as minor tweaks render hashes or metadata useless.

PDF Object Hashing sidesteps this by parsing the file’s object hierarchy, extracting types such as Pages, Catalog, XObject/Image, Annotations/Link, Metadata/XML, Producer, and Font/Type1.

These are concatenated in order and hashed into a stable “fingerprint,” akin to imphash for executables. This ignores lure-specific changes, like updated images, allowing clustering of related files.

As Proofpoint demonstrates, overlapping hashes (visualized in green-yellow diagrams) reveal connections across variants, aiding threat hunting without decryption.

Real-World Campaigns Tracked

Proofpoint applied the tool to track UAC-0050, a cluster targeting Ukraine with encrypted PDFs impersonating OneDrive. These deliver NetSupport RAT via JavaScript-laden URLs, evading parsers due to encryption.

Hashing exposed structural similarities, enabling rapid signature creation and payload blocking (e.g., SHA256: ee03ad7c8f1e25ad157ab3cd9b0d6109b30867572e7e13298a3ce2072ae13e5).

Similarly, UNK_ArmyDrive, an India-based actor active since May 2025, uses PDFs in BEC lures like fake Bangladesh Ministry documents (SHA256: 08367ec03ede1d69aa51de1e55caf3a75e6568aa76790c39b39a00d1b71c9084).

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.