Researchers from Ruhr-University Bochum have demonstrated a novel class of attacks that could allow a bad actor to break the integrity protection of digitally signed PDF documents. The attacks leverage “harmless” PDF features which do not invalidate the signature, such as “incremental update” and “interactive forms” to hide the malicious content behind seemingly innocuous overlay objects. A third variant called “hide and replace” can be used to combine the aforementioned methods and modify the contents of an entire document by simply changing the object references in the PDF.
Source: https://thehackernews.com/2021/02/shadow-attacks-let-attackers-replace.html