Bad-PDF create malicious PDF to steal NTLM Hashes from windows machines, it utilize technique disclosed by checkpoint team to create the malicious PDF file. It reads the NTLM hashes using Responder listener.
Reference : https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/
Responder