By NHI Mgmt Group Editorial TeamDomain: Breaches & IncidentsSource: SentinelOnePublished July 20, 2025

TL;DR: Malicious PDFs can trigger code execution through reader flaws, embedded JavaScript, XFA forms, or remote actions that force network callbacks and credential leakage, according to SentinelOne. The practical issue is not the file type itself but the trust assumptions built into PDF handling, browser rendering, and Windows authentication flows.


At a glance

What this is: This is a technical explainer on how malicious PDF files can run code, call back to remote servers, and leak NTLM credentials through crafted document actions.

Why it matters: It matters because PDF handling touches endpoint, browser, and identity controls, so defenders need to reduce callback exposure and monitor how authentication material can be abused through file-based attacks.

👉 Read SentinelOne's technical walkthrough of malicious PDF execution paths


Context

Malicious PDFs are dangerous because the file format supports active content, and many readers and browsers still process that content by default. The risk is not limited to one application, since embedded JavaScript, form actions, and remote document references can all be used to trigger unwanted network activity or exploit a flaw in the rendering engine.

For identity and access teams, the important point is that a document attack can become an identity attack when a reader or operating system automatically sends authentication material during a callback. That makes PDF threats relevant to endpoint hardening, browser controls, NTLM exposure, and broader credential governance.


Key questions

Q: What breaks when PDF readers are allowed to execute active content by default?

A: Default active-content handling turns a document viewer into a runtime execution surface. That can allow JavaScript, form actions, or remote references to trigger network activity, leak authentication material, or exploit a reader flaw. Security teams should treat PDF rendering as a controlled execution path, not a passive file preview, especially on managed endpoints that hold enterprise credentials.

Q: Why do malicious PDFs create identity risk as well as endpoint risk?

A: Because a crafted PDF can force a callback that exposes NTLM material or other authentication data without explicit user intent. That means the attack affects credential governance, not just malware detection. Teams should combine reader hardening, authentication policy, and egress controls so a file-open event cannot become a credential transfer event.

Q: How do security teams reduce callback abuse from PDF files?

A: They should disable unnecessary PDF scripting, block remote document actions, and prevent untrusted outbound connections from reader processes. The goal is to break the chain between file rendering and network initiation before the document can contact attacker infrastructure. Endpoint policy should also log and alert on unusual SMB or HTTP traffic immediately after PDF opens.

Q: What should organisations review first after a PDF credential-leak alert?

A: Start with the endpoint, the reader configuration, and the authentication path that was exposed. Confirm whether the callback used NTLM, whether the destination was approved, and whether similar document actions are allowed elsewhere in the estate. The immediate goal is containment of the exposure path, then policy correction across all managed PDF viewers.


Technical breakdown

How malicious PDFs execute JavaScript

PDFs can contain numbered objects, streams, and dictionaries that hide executable content inside what looks like ordinary document data. Attackers may embed JavaScript through AcroForms, XFA forms, or object references, and the code can be compressed or encoded to resist casual inspection. When a reader parses the file, the script can run inside the application context if the product permits active content. Some attacks rely on a vulnerability, while others use legitimate document features in a malicious way.

Practical implication: restrict PDF JavaScript and inspect high-risk documents before they reach standard user readers.

GoToR actions and remote callback abuse

PDF action dictionaries can instruct a reader to open a remote destination through a GoToR action or a similar reference. If that destination points to an SMB share or attacker-controlled server, the victim device may initiate a network connection automatically. On Windows, that connection can expose NTLM authentication material because the system tries to authenticate to the remote location without explicit user intent. The abuse path depends less on the document looking malicious and more on how the reader handles remote references.

Practical implication: block or tightly control remote PDF actions that can force outbound connections to untrusted destinations.

Why browser-integrated PDF readers raise the exposure surface

PDF readers are not only standalone desktop apps. Modern browsers often include embedded PDF engines, which means a malicious file can reach a broader set of user sessions and network paths than many teams assume. That widens the operational blast radius because the same content may be opened in different contexts, with different controls, and different authentication behaviour. In enterprise environments, this is an endpoint governance issue as much as an application security issue.

Practical implication: inventory where PDF rendering occurs and apply consistent controls across browsers, desktop readers, and managed endpoints.


Threat narrative

Attacker objective: The attacker wants to turn a document open into credential exposure or remote code execution that can be reused for follow-on access.

  1. Entry begins when a victim opens a crafted PDF delivered through phishing or another social engineering channel, and the file contains obfuscated JavaScript, action dictionaries, or remote references.
  2. Credential harvesting occurs when the document triggers a callback to an SMB share or remote host, causing the endpoint to send NTLM material or other authentication data automatically.
  3. Impact follows when the attacker reuses leaked authentication data for relay, access, or further intrusion against enterprise systems.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Malicious PDFs are really a control-gap problem, not just a file-format problem. The article shows that execution can come from reader flaws, active content, or remote references, which means the defensive question is where rendering is allowed and what it can reach. Once a document can cause outbound authentication or script execution, the boundary between content handling and identity exposure collapses. Practitioners should treat PDF processing as a governed execution surface, not a harmless viewer task.

NTLM leakage via document callbacks is a standing-credential exposure problem. The attack path works because the endpoint is allowed to reveal authentication material when it contacts an untrusted resource. That is an identity governance issue, not only an endpoint issue, because the same automatic trust assumptions exist across browsers, file handlers, and Windows authentication flows. Practitioners should map document-driven callbacks to their credential exposure policy and reduce automatic authentication wherever possible.

Document active content creates a hidden trust boundary that many programmes still under-estimate. PDF JavaScript, AcroForms, and XFA are legitimate features, but they also create a channel for abuse when the organisation assumes static documents are inert. The named concept here is document callback exposure: a file format or reader feature that turns content rendering into an outbound connection or credential transfer event. Practitioners should inventory every place that assumption exists and constrain it deliberately.

Endpoint, browser, and identity controls need to be aligned on file-based attack paths. Teams often harden one layer while leaving another permissive, which is why document attacks persist. The relevant standards lens is MITRE ATT&CK for the credential-access and impact stages, plus NIST CSF for protective and detective coverage across assets and communications. Practitioners should build one control model for the full document-open chain, not separate it by team boundary.

What this signals

Document-based callback abuse is a useful reminder that identity exposure can begin with file handling, not just with login flows. As more organisations rely on browser-integrated readers and remote workstations, the practical control question becomes whether a document can cause an authenticated network call at all. Teams should audit those paths now rather than waiting for a phishing event to expose the gap.

The named concept here is document callback exposure. It captures the moment when a seemingly static file becomes an outbound connection or credential transfer trigger, which is exactly where many endpoint and identity assumptions break down. When that boundary is visible, policy can be written around it, and the attack surface becomes governable instead of implicit.


For practitioners

  • Disable unnecessary PDF JavaScript Turn off Acrobat JavaScript and equivalent active-content features wherever the business does not need interactive PDFs. Use exception handling for known workflows rather than leaving scripting enabled broadly.
  • Block untrusted remote PDF actions Restrict GoToR-style actions and outbound SMB connections from PDF readers so a document cannot force credential-bearing network calls to attacker-controlled infrastructure.
  • Harden NTLM exposure on managed endpoints Review whether systems still auto-negotiate NTLM in places where Kerberos or other controlled authentication paths are available. Reduce the chance that a document callback can leak reusable authentication material.
  • Standardise PDF rendering controls across browsers and readers Map every approved PDF rendering path, including browser-integrated viewers, desktop readers, and virtualised workspaces, then apply the same network and scripting restrictions across each path.
  • Tune detection for document-driven outbound traffic Alert on PDF opens that generate immediate SMB, HTTP, or DNS activity from user endpoints, especially where those destinations are not part of normal business workflows.

Key takeaways

  • Malicious PDFs are dangerous because active content and remote actions can convert a file open into code execution or credential leakage.
  • The most relevant failure mode is automatic trust in reader behaviour, especially where NTLM or other authentication material can be exposed through callbacks.
  • Defenders should harden PDF rendering, constrain outbound document actions, and monitor endpoint network activity immediately after file opens.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0006 , Credential Access; TA0004 , Privilege Escalation; TA0008 , Lateral MovementThe article focuses on malicious file delivery, credential leakage, and follow-on reuse.
NIST CSF 2.0PR.AC-4The issue is uncontrolled authentication exposure through reader-triggered network calls.
NIST SP 800-53 Rev 5IA-5NTLM leakage and credential misuse fall under authenticator management and exposure control.
CIS Controls v8CIS-6 , Access Control ManagementThe document attack succeeds by abusing how endpoints and users are allowed to authenticate.

Limit document-driven access paths and enforce least privilege for applications that can reach sensitive resources.


Key terms

  • AcroForms: AcroForms are interactive form features built into PDF files so users can enter data, submit values, or trigger document actions. In security terms, they matter because the same interactivity that improves usability can also be abused to run scripts or initiate unintended network activity in a reader.
  • XFA Forms: XFA Forms are dynamic PDF form structures designed to support richer document behaviour, including resizing and scripted interaction. They can expand the attack surface because a reader may process embedded logic or external references automatically, which is why defenders treat them as a potential delivery mechanism for callback abuse.
  • NTLM Relay: NTLM relay is an attack technique where an authenticated challenge-response session is captured and forwarded to another service that accepts it as legitimate. The attacker does not need the password itself, only a reusable authentication exchange that the target will trust.
  • GoToR Action: A GoToR action is a PDF instruction that tells a reader to jump to a remote destination or resource. It is security-sensitive because an attacker can abuse it to make the victim device contact an untrusted host, sometimes triggering credential negotiation or other unsafe network behaviour.

What's in the full article

SentinelOne's full article covers the technical parsing details this post intentionally leaves for the source:

  • Byte-level walkthrough of PDF object structure, streams, dictionaries, and encoded JavaScript
  • Examples of compressed and octal-encoded payloads that reveal how malicious content hides in plain sight
  • Reader-side mitigation options such as Acrobat JavaScript controls and Windows NTLM handling
  • Discussion of EDR visibility, firewall controls, and file-scanning approaches for enterprise environments

👉 SentinelOne's full post covers PDF object decoding, callback abuse, and endpoint protections in more depth

Deepen your knowledge

NHI Mgmt Group covers identity security, NHI governance, and agentic AI through independent research, practitioner guides, and the NHI Foundation Level course. Explore nhimg.org for resources that connect identity governance to the broader security disciplines your programme depends on.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org