Proofpoint Releases Innovative Detections For Threat Hunting: PDF Object Hashing
Proofpoint, Thursday, October 23rd, 2025
The PDF format is widely used by threat actors to kickstart malicious activity. In email campaigns, Proofpoint researchers observe PDFs distributed in many ways.
Key findings
- Proofpoint created a new open-source tool for creating threat detection rules based on unique characteristics in PDFs called 'PDF Object Hashing'.
- This technique can help with identifying related documents and enable attribution when threat actors rely on PDFs for malware or credential phishing payloads.
- Proofpoint uses this tool internally to help track multiple threat actors.
- The tool is now available on GitHub.
For example, threat actors often distribute PDFs that contain URLs leading to malware or credential phishing; PDFs with QR codes leading to malicious web pages; or PDFs with fake banking details or invoices to enable business email compromise (BEC) activity.