{"id":130999,"date":"2025-10-24T07:36:43","date_gmt":"2025-10-24T07:36:43","guid":{"rendered":"https:\/\/cybersecuritynews.com\/?p=130999"},"modified":"2025-10-24T07:36:48","modified_gmt":"2025-10-24T07:36:48","slug":"pdf-tool-to-detect-malicious-pdf","status":"publish","type":"post","link":"https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/","title":{"rendered":"New PDF Tool to Detect Malicious PDF Using PDF Object Hashing Technique"},"content":{"rendered":"\n

A new open-source tool called PDF Object Hashing is designed to detect malicious PDFs by analyzing their structural “fingerprints.”<\/p>\n\n\n\n

Released by Proofpoint, the tool empowers security teams to create robust threat detection rules based on unique object characteristics in PDF files.<\/p>\n\n\n\n

This innovation addresses the growing reliance of threat actors on PDFs for delivering malware, credential phishing, and business email compromise (BEC)<\/a> attacks.<\/p>\n\n\n\n

By focusing on document structure rather than volatile elements like URLs or images, the tool enables attribution to specific threat groups, even as attackers evolve their tactics. Proofpoint, a leading cybersecurity firm, developed this technique internally to track multiple threat actors.<\/p>\n\n\n\n

PDFs remain a staple in email-based campaigns, often embedding URLs to malware downloads, QR codes<\/a> directing users to phishing sites, or forged invoices mimicking brands like banks or services.<\/p>\n\n\n\n

Proofpoint notes that these files can initiate chains leading to remote access trojans or data theft.<\/p>\n\n\n\n

However, the PDF format’s complexity, allowing endless variations for compatibility, poses detection challenges, from encrypted streams hiding URIs to compressed objects obscuring payloads.<\/p>\n\n\n\n

The core issue lies in PDF’s flexibility: six valid whitespace types, compressible cross-reference tables, and objects that can embed or reference parameters interchangeably. <\/p>\n\n\n\n

Encryption further complicates matters, revealing only the document’s skeleton while concealing details like malicious links. <\/p>\n\n\n\n

Traditional signatures falter against these evasions, as minor tweaks render hashes or metadata useless.<\/p>\n\n\n\n

PDF Object Hashing sidesteps this by parsing the file’s object hierarchy, extracting types such as Pages, Catalog, XObject\/Image, Annotations\/Link, Metadata\/XML, Producer, and Font\/Type1. <\/p>\n\n\n

\n
\"\"\/<\/figure><\/div>\n\n\n

These are concatenated in order and hashed into a stable “fingerprint,” akin to imphash for executables. This ignores lure-specific changes, like updated images, allowing clustering of related files.<\/p>\n\n\n\n

As Proofpoint demonstrates<\/a>, overlapping hashes (visualized in green-yellow diagrams) reveal connections across variants, aiding threat hunting without decryption.<\/p>\n\n\n\n

Real-World Campaigns Tracked<\/strong><\/h2>\n\n\n\n

Proofpoint applied the tool<\/a> to track UAC-0050<\/a>, a cluster targeting Ukraine with encrypted PDFs impersonating OneDrive. These deliver NetSupport RAT via JavaScript-laden URLs, evading parsers due to encryption.<\/p>\n\n\n

\n
\"\"\/<\/figure><\/div>\n\n\n

Hashing exposed structural similarities, enabling rapid signature creation and payload blocking (e.g., SHA256: ee03ad7c8f1e25ad157ab3cd9b0d6109b30867572e7e13298a3ce2072ae13e5).<\/p>\n\n\n\n

Similarly, UNK_ArmyDrive, an India-based actor active since May 2025, uses PDFs in BEC lures like fake Bangladesh Ministry documents (SHA256: 08367ec03ede1d69aa51de1e55caf3a75e6568aa76790c39b39a00d1b71c9084). <\/p>\n\n\n\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

A new open-source tool called PDF Object Hashing is designed to detect malicious PDFs by analyzing their structural “fingerprints.” Released by Proofpoint, the tool empowers security teams to create robust threat detection rules based on unique object characteristics in PDF files. This innovation addresses the growing reliance of threat actors on PDFs for delivering malware, […]<\/p>\n","protected":false},"author":1,"featured_media":131006,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEisn5tU8CBfm6idOW3ZluUi1lU95hRZp09S2JO878pThfQB9mbooFgidILrEycqlSVErcj649bGu7eHbQWPSeC2hHIaz2WTUqDfh8EohiG4Ie2TmhEwBObbYgZpv9nXJPguEVIrO2I5OpLUZ11FRVeBPpGOu2ANghlIAx0fn2lagz9EAtoyeggw9wooWVcT\/s1600\/1000045300.webp","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[11,56],"tags":[149,151],"class_list":{"0":"post-130999","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-security-news","8":"category-cyberpedia","9":"tag-cyber-security","10":"tag-cyber-security-news"},"yoast_head":"\nNew PDF Tool To Detect Malicious PDF Using PDF Object Hashing Technique<\/title>\n<meta name=\"description\" content=\"A new open-source tool called PDF Object Hashing is designed to detect malicious PDFs by analyzing their structural "fingerprints."\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New PDF Tool to Detect Malicious PDF Using PDF Object Hashing Technique\" \/>\n<meta property=\"og:description\" content=\"A new open-source tool called PDF Object Hashing is designed to detect malicious PDFs by analyzing their structural "fingerprints."\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/\" \/>\n<meta property=\"og:site_name\" content=\"Cyber Security News\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Hackingtutorialsandnews\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/guruba008\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-24T07:36:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-24T07:36:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEisn5tU8CBfm6idOW3ZluUi1lU95hRZp09S2JO878pThfQB9mbooFgidILrEycqlSVErcj649bGu7eHbQWPSeC2hHIaz2WTUqDfh8EohiG4Ie2TmhEwBObbYgZpv9nXJPguEVIrO2I5OpLUZ11FRVeBPpGOu2ANghlIAx0fn2lagz9EAtoyeggw9wooWVcT\/s1600\/1000045300.webp\" \/><meta property=\"og:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEisn5tU8CBfm6idOW3ZluUi1lU95hRZp09S2JO878pThfQB9mbooFgidILrEycqlSVErcj649bGu7eHbQWPSeC2hHIaz2WTUqDfh8EohiG4Ie2TmhEwBObbYgZpv9nXJPguEVIrO2I5OpLUZ11FRVeBPpGOu2ANghlIAx0fn2lagz9EAtoyeggw9wooWVcT\/s1600\/1000045300.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Guru Baran\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEisn5tU8CBfm6idOW3ZluUi1lU95hRZp09S2JO878pThfQB9mbooFgidILrEycqlSVErcj649bGu7eHbQWPSeC2hHIaz2WTUqDfh8EohiG4Ie2TmhEwBObbYgZpv9nXJPguEVIrO2I5OpLUZ11FRVeBPpGOu2ANghlIAx0fn2lagz9EAtoyeggw9wooWVcT\/s1600\/1000045300.webp\" \/>\n<meta name=\"twitter:creator\" content=\"@guruba008\" \/>\n<meta name=\"twitter:site\" content=\"@The_Cyber_News\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Guru Baran\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"New PDF Tool To Detect Malicious PDF Using PDF Object Hashing Technique","description":"A new open-source tool called PDF Object Hashing is designed to detect malicious PDFs by analyzing their structural \"fingerprints.\"","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/","og_locale":"en_US","og_type":"article","og_title":"New PDF Tool to Detect Malicious PDF Using PDF Object Hashing Technique","og_description":"A new open-source tool called PDF Object Hashing is designed to detect malicious PDFs by analyzing their structural \"fingerprints.\"","og_url":"https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/","og_site_name":"Cyber Security News","article_publisher":"https:\/\/www.facebook.com\/Hackingtutorialsandnews","article_author":"https:\/\/www.facebook.com\/guruba008","article_published_time":"2025-10-24T07:36:43+00:00","article_modified_time":"2025-10-24T07:36:48+00:00","og_image":[{"url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEisn5tU8CBfm6idOW3ZluUi1lU95hRZp09S2JO878pThfQB9mbooFgidILrEycqlSVErcj649bGu7eHbQWPSeC2hHIaz2WTUqDfh8EohiG4Ie2TmhEwBObbYgZpv9nXJPguEVIrO2I5OpLUZ11FRVeBPpGOu2ANghlIAx0fn2lagz9EAtoyeggw9wooWVcT\/s1600\/1000045300.webp","type":"","width":"","height":""},{"width":1600,"height":900,"url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEisn5tU8CBfm6idOW3ZluUi1lU95hRZp09S2JO878pThfQB9mbooFgidILrEycqlSVErcj649bGu7eHbQWPSeC2hHIaz2WTUqDfh8EohiG4Ie2TmhEwBObbYgZpv9nXJPguEVIrO2I5OpLUZ11FRVeBPpGOu2ANghlIAx0fn2lagz9EAtoyeggw9wooWVcT\/s1600\/1000045300.webp","type":"image\/jpeg"}],"author":"Guru Baran","twitter_card":"summary_large_image","twitter_image":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEisn5tU8CBfm6idOW3ZluUi1lU95hRZp09S2JO878pThfQB9mbooFgidILrEycqlSVErcj649bGu7eHbQWPSeC2hHIaz2WTUqDfh8EohiG4Ie2TmhEwBObbYgZpv9nXJPguEVIrO2I5OpLUZ11FRVeBPpGOu2ANghlIAx0fn2lagz9EAtoyeggw9wooWVcT\/s1600\/1000045300.webp","twitter_creator":"@guruba008","twitter_site":"@The_Cyber_News","twitter_misc":{"Written by":"Guru Baran","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"NewsArticle","@id":"https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/#article","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/"},"author":{"name":"Guru Baran","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/f7f138f8fd41a61bb60151da47730026"},"headline":"New PDF Tool to Detect Malicious PDF Using PDF Object Hashing Technique","datePublished":"2025-10-24T07:36:43+00:00","dateModified":"2025-10-24T07:36:48+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/"},"wordCount":429,"publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"image":{"@id":"https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/#primaryimage"},"thumbnailUrl":"https:\/\/i1.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEisn5tU8CBfm6idOW3ZluUi1lU95hRZp09S2JO878pThfQB9mbooFgidILrEycqlSVErcj649bGu7eHbQWPSeC2hHIaz2WTUqDfh8EohiG4Ie2TmhEwBObbYgZpv9nXJPguEVIrO2I5OpLUZ11FRVeBPpGOu2ANghlIAx0fn2lagz9EAtoyeggw9wooWVcT\/s1600\/1000045300.webp?w=1600&resize=1600,900&ssl=1","keywords":["cyber security","cyber security news"],"articleSection":["Cyber Security News","CyberPedia"],"inLanguage":"en-US","copyrightYear":"2025","copyrightHolder":{"@id":"https:\/\/cybersecuritynews.com\/#organization"}},{"@type":"WebPage","@id":"https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/","url":"https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/","name":"New PDF Tool To Detect Malicious PDF Using PDF Object Hashing Technique","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/#primaryimage"},"image":{"@id":"https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/#primaryimage"},"thumbnailUrl":"https:\/\/i1.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEisn5tU8CBfm6idOW3ZluUi1lU95hRZp09S2JO878pThfQB9mbooFgidILrEycqlSVErcj649bGu7eHbQWPSeC2hHIaz2WTUqDfh8EohiG4Ie2TmhEwBObbYgZpv9nXJPguEVIrO2I5OpLUZ11FRVeBPpGOu2ANghlIAx0fn2lagz9EAtoyeggw9wooWVcT\/s1600\/1000045300.webp?w=1600&resize=1600,900&ssl=1","datePublished":"2025-10-24T07:36:43+00:00","dateModified":"2025-10-24T07:36:48+00:00","description":"A new open-source tool called PDF Object Hashing is designed to detect malicious PDFs by analyzing their structural \"fingerprints.\"","breadcrumb":{"@id":"https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/#primaryimage","url":"https:\/\/i1.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEisn5tU8CBfm6idOW3ZluUi1lU95hRZp09S2JO878pThfQB9mbooFgidILrEycqlSVErcj649bGu7eHbQWPSeC2hHIaz2WTUqDfh8EohiG4Ie2TmhEwBObbYgZpv9nXJPguEVIrO2I5OpLUZ11FRVeBPpGOu2ANghlIAx0fn2lagz9EAtoyeggw9wooWVcT\/s1600\/1000045300.webp?w=1600&resize=1600,900&ssl=1","contentUrl":"https:\/\/i1.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEisn5tU8CBfm6idOW3ZluUi1lU95hRZp09S2JO878pThfQB9mbooFgidILrEycqlSVErcj649bGu7eHbQWPSeC2hHIaz2WTUqDfh8EohiG4Ie2TmhEwBObbYgZpv9nXJPguEVIrO2I5OpLUZ11FRVeBPpGOu2ANghlIAx0fn2lagz9EAtoyeggw9wooWVcT\/s1600\/1000045300.webp?w=1600&resize=1600,900&ssl=1","width":"1600","height":"900"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecuritynews.com\/pdf-tool-to-detect-malicious-pdf\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cybersecuritynews.com\/"},{"@type":"ListItem","position":2,"name":"New PDF Tool to Detect Malicious PDF Using PDF Object Hashing Technique"}]},{"@type":"WebSite","@id":"https:\/\/cybersecuritynews.com\/#website","url":"https:\/\/cybersecuritynews.com\/","name":"Cyber Security News","description":"World's #1 Premier Cybersecurity and Hacking News Portal","publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecuritynews.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cybersecuritynews.com\/#organization","name":"Cyber Security News","url":"https:\/\/cybersecuritynews.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/","url":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","contentUrl":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","width":200,"height":200,"caption":"Cyber Security News"},"image":{"@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Hackingtutorialsandnews","https:\/\/x.com\/The_Cyber_News","https:\/\/www.linkedin.com\/company\/cybersecurity-news\/"]},{"@type":"Person","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/f7f138f8fd41a61bb60151da47730026","name":"Guru Baran","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/72f86da0bb72b6886d25f0ef0c881daba3a98356bc44f916f8d3a62c9e856579?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/72f86da0bb72b6886d25f0ef0c881daba3a98356bc44f916f8d3a62c9e856579?s=96&d=mm&r=g","caption":"Guru Baran"},"description":"Gurubaran is the Co-Founder and Editor-in-Chief of CyberSecurityNews.com, specializing in vulnerability analysis, malware research, ransomware, and computer forensics.","sameAs":["https:\/\/cybersecuritynews.com","https:\/\/www.facebook.com\/guruba008","https:\/\/www.linkedin.com\/in\/gurubaran-cyberwrites\/","https:\/\/x.com\/guruba008"],"url":"https:\/\/cybersecuritynews.com\/author\/guru\/"}]}},"jetpack_featured_media_url":"https:\/\/i1.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEisn5tU8CBfm6idOW3ZluUi1lU95hRZp09S2JO878pThfQB9mbooFgidILrEycqlSVErcj649bGu7eHbQWPSeC2hHIaz2WTUqDfh8EohiG4Ie2TmhEwBObbYgZpv9nXJPguEVIrO2I5OpLUZ11FRVeBPpGOu2ANghlIAx0fn2lagz9EAtoyeggw9wooWVcT\/s1600\/1000045300.webp?w=1600&resize=1600,900&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/130999","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/comments?post=130999"}],"version-history":[{"count":5,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/130999\/revisions"}],"predecessor-version":[{"id":131021,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/130999\/revisions\/131021"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media\/131006"}],"wp:attachment":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media?parent=130999"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/categories?post=130999"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/tags?post=130999"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}