Security specialist Didier Stevens has shown how a file can store a malicious stream object in meta data rather than the pages of a document, and how that meta data can be read by Windows Explorer through a shell extension which generates the required mouseover tooltips to execute the malicious code.
Stevens explains that when you install Adobe Acrobat Reader a Column Handler Shell Extension is installed which is "a special program (a COM object) that will provide Windows Explorer with additional data to display (in extra columns) for the file types the column handler supports. The PDF column handler adds a few extra columns, like the Title. When a PDF document is listed in a Windows Explorer windows, the PDF column handler shell extension will be called by Windows Explorer when it needs the additional column info. The PDF column handler will read the PDF document to extract the necessary info..."