The article “NTLM Credentials Theft via PDF Files” explains how PDF documents can refer to a resource via UNC paths. This is done using PDF names /GoToE or /GoToR.
My tool pdfid.py can now be extended to report /GoToE and /GoToR usage in a PDF file, without having to change the source code. You just have to edit the pdfid.ini file (or create it) to include these names, like this:
[keywords] /URI /GoToE /GoToR
Using pdfid configured like this on a “credential stealing PDF” gives the following result:
pdfid.ini has to be located in the same directory as pdfid.py. And remember that names in the PDF language are case-sensitive.
Didier Stevens 
[…] PDFiD: GoToE and GoToR Detection (“NTLM Credential Theft”) […]
Pingback by Overview of Content Published In May | Didier Stevens — Tuesday 5 June 2018 @ 0:01