Microsoft Office Exploitation allows to include information that one document has in another document. By using this feature attackers can inject malicious contents into the PDF and if the PDF file is opened then the target automatically start leaking data in the form of NTLM hashes. If the user opens the document then there is no alert on attackers activity and it is impossible to notice the behavior. The leaked data are transferred through SMB and the attackers can use it for various SMB relay attacks.”]
Source: https://gbhackers.com/steal-ntlm-credentials-pdf-files/