Can a PDF Have a Virus? How to Check PDF Files Safely

Stephanie Adlam
Stephanie Adlam
10 Min Read
PDF Virus Risk: hidden links, embedded scripts, and potential malware in a PDF document.
PDF Virus Risk: hidden links, embedded scripts, and potential malware.

Yes, a PDF can have a virus or another malicious payload. The risk usually comes from embedded JavaScript, hidden file attachments, links to phishing pages, or exploits that target an outdated PDF reader. A normal PDF from a trusted sender is usually safe, but an unexpected invoice, delivery note, resume, ebook, or “secure document” attachment deserves a check before you open it or click inside it.

If you already opened a suspicious PDF, close it, do not allow any extra permission prompts, do not download anything the document asks for, and scan the file or device. You can upload the file to the Gridinsoft Online Virus Scanner for a quick reputation check, then run a local malware scan if the PDF came from an unknown sender or led you to a strange website.

Can a PDF Have a Virus?

A PDF is a document format, not an executable program by default. That is why many people treat PDFs as safer than EXE, BAT, or script files. The problem is that PDFs are not always static images of text. They can contain interactive forms, embedded files, clickable links, JavaScript actions, and metadata that a reader application must parse. Adobe’s own security documentation describes protected and enhanced security features because risky actions and cross-domain access are possible inside untrusted PDFs [1][2].

In everyday language, people say “PDF virus” for several different threats: a malicious PDF that exploits a reader bug, a PDF that uses JavaScript to trigger a download, a document that hides a phishing link, or a file named like invoice.pdf.exe to fool users who hide file extensions. The result can be malware, credential theft, spyware, or a trojan downloader.

Why Attackers Still Use PDF Files

PDFs are trusted in daily work. People expect invoices, resumes, contracts, tax forms, delivery notices, and manuals to arrive as PDF attachments, so attackers use that familiarity to lower suspicion. A malicious PDF can also look clean during a quick preview because the real danger may be a link, button, or script that activates only after the user interacts with the document.

How PDFs Become Malicious

PDF technique What it can do
Embedded JavaScript Runs document actions, opens URLs, changes form behavior, or tries to abuse an outdated reader.
Reader exploit Uses a vulnerability in Adobe Acrobat, a browser PDF viewer, or another reader to execute code.
Hidden attachment Packs another file inside the PDF, such as a script, archive, or executable payload.
Phishing link or form Sends the user to a fake login, payment, delivery, or document portal.
Double extension trick Names an executable file like a PDF so Windows shows it as a harmless document.

Embedded JavaScript and Actions

JavaScript in PDFs is legitimate when it supports forms or document automation. Attackers abuse the same feature to open external URLs, display fake prompts, or try to trigger behavior in the PDF reader. Adobe Enhanced Security is designed to limit untrusted PDF actions, including attempts to communicate with other domains [1].

JavaScript code embedded in a suspicious PDF file.
Suspicious JavaScript objects inside a PDF can be a sign that the file is doing more than displaying text.

Modern malicious PDFs often rely on user interaction rather than automatic infection. In 2025, Varonis documented MatrixPDF, a toolkit that can add blurred overlays, fake “Open Secure Document” prompts, JavaScript actions, and redirect buttons to ordinary-looking PDFs [5]. That kind of attack may pass basic attachment checks because the binary payload is not inside the document until the victim clicks.

MatrixPDF builder showing JavaScript actions and fake secure document prompts in a PDF.
MatrixPDF-style builder options show how fake secure-document prompts and JavaScript actions can be added to PDFs. Source: Varonis research, cited below.

Phishing Links in PDF Files

A malicious PDF does not need to exploit software to be dangerous. It may simply contain a convincing button or link that opens a fake Microsoft 365, bank, courier, payroll, or invoice page. Microsoft Defender SmartScreen helps block known phishing and malware websites, but users should still inspect links before entering credentials [3]. CISA also warns users to treat unexpected links and attachments in suspicious messages as phishing signals [4].

Suspicious link embedded inside a PDF document.
A PDF can hide a phishing link behind normal-looking text, buttons, or document-preview prompts.

Outdated PDF Readers

PDF readers and browser PDF viewers process complex file structures. If the reader is outdated, a malicious document may exploit a known vulnerability. This is why protected mode, protected view, browser sandboxing, and regular updates matter. If you use Adobe Acrobat or Reader, keep Protected View and Enhanced Security enabled for files from the internet [1][2].

Signs a PDF May Be Malicious

  • The PDF arrives unexpectedly, especially as an invoice, delivery notice, legal document, resume, refund note, or shared file.
  • The sender address, domain, or message wording does not match the organization it claims to represent.
  • The file asks you to click “Open Secure Document”, “Enable Content”, “View Invoice”, or a similar button.
  • The document opens a browser tab, download prompt, login page, or permission dialog.
  • The link target does not match the visible company name when you hover over it.
  • The file name uses a double extension, such as statement.pdf.exe or invoice.pdf.scr.
  • The PDF reader warns about JavaScript, external connections, embedded files, or untrusted content.
  • Your security tool flags the PDF, the download URL, or a process launched after opening it.

How to Check a PDF for Viruses Before Opening It

  1. Verify the sender first. If the PDF came by email or messenger, confirm through a separate channel before opening it.
  2. Check the full file name. Enable file extensions in Windows and make sure the file really ends in .pdf, not .pdf.exe.
  3. Scan the file. Use your installed security tool or the Gridinsoft Online Virus Scanner before opening a suspicious document.
  4. Open only in a protected reader. Use a current browser PDF viewer or Adobe Reader/Acrobat with Protected View and Enhanced Security enabled.
  5. Do not click embedded buttons or links. If the document says it is “locked” and asks you to open a separate website, treat that as suspicious.
  6. Keep scripts disabled when possible. If you do not need interactive PDF forms, disabling JavaScript in the PDF reader reduces attack surface.

What to Do If You Opened a Suspicious PDF

  1. Close the PDF and any page it opened. Do not approve prompts, downloads, macro-like actions, or login requests.
  2. Disconnect if something downloaded or ran. If a file launched, a terminal flashed, or a strange process appeared, disconnect from the network until you scan the device.
  3. Run a full scan. Use Gridinsoft Anti-Malware or another trusted local scanner to check for trojans, spyware, stealers, and persistence.
  4. Change passwords only from a clean device. If you entered credentials on a page opened by the PDF, reset them from another trusted computer or phone and enable MFA.
  5. Check browser downloads and startup items. Delete unexpected downloads and review recently installed apps or browser extensions.
  6. Report the message. Forward the suspicious email to your IT/security team, mail provider, or the organization being impersonated.

Can You Get Infected Just by Downloading a PDF?

Usually, downloading a PDF without opening it is less risky than opening it, clicking links inside it, or allowing it to run actions. The danger increases when a PDF reader parses the file, when the user interacts with a malicious prompt, or when another file hidden behind the PDF name is actually executed. Still, if the file came from a suspicious source, scan it before opening and delete it if the sender cannot be verified.

Are PDFs Safer on Phones?

Phones are not immune. Mobile PDF viewers are sandboxed, but PDF phishing still works on iPhone and Android because the attack may only need a click to open a fake login page. Keep the OS and apps updated, avoid installing APKs or apps offered by a PDF link, and do not enter passwords into pages opened from an unexpected document.

How to Reduce PDF Virus Risk

  • Keep Windows, browsers, Adobe Reader/Acrobat, and other PDF readers updated.
  • Use Protected View, Enhanced Security, and browser sandboxing for files from the internet.
  • Disable PDF JavaScript unless you need it for trusted business forms.
  • Do not open unexpected invoices, resumes, legal notices, or delivery documents without verifying the sender.
  • Hover over PDF links before clicking, and avoid shortened URLs or domains that do not match the claimed company.
  • Use endpoint protection that scans downloaded files, URLs, and suspicious behavior.
  • Back up important files so a malware incident does not become a data-loss incident.

FAQ

Can a PDF have a virus if it only contains text?

It is less likely, but appearance alone is not enough. A PDF that looks like plain text can still contain hidden links, objects, scripts, or malformed structures. Scan unexpected files and use a protected reader.

Can opening a PDF install malware automatically?

It is possible, especially with an outdated or vulnerable reader, but many current attacks require a click, permission prompt, or redirect. Keep readers updated and do not approve actions requested by an unexpected document.

Can a PDF steal passwords?

Yes, commonly through phishing. The PDF may link to a fake login page or show a button that pretends to unlock a secure document. If you entered credentials, change them from a clean device and enable MFA.

Should I scan every PDF?

You do not need to scan every trusted document from a known workflow, but you should scan PDFs from unknown senders, unexpected emails, public downloads, file-sharing links, or messages that create urgency.

Can a PDF virus affect Mac or Android?

Yes, but the risk depends on the exploit, viewer, and user action. Even when malware execution is harder, phishing links and fake login pages work across Windows, macOS, iPhone, and Android.

References

  1. Adobe. “Enhanced security setting for PDFs.” Adobe Acrobat Help, last updated March 28, 2025, accessed June 2, 2026. https://helpx.adobe.com/in/acrobat/using/enhanced-security-setting-pdfs.html
  2. Adobe. “Protected View and Protected Mode overview.” Adobe Acrobat Help, accessed June 2, 2026. https://helpx.adobe.com/acrobat/desktop/protect-documents/use-protected-view/protect-view-mode.html
  3. Microsoft. “Microsoft Defender SmartScreen overview.” Microsoft Learn, accessed June 2, 2026. https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
  4. Cybersecurity and Infrastructure Security Agency. “Recognize and Report Phishing.” CISA, accessed June 2, 2026. https://www.cisa.gov/secure-our-world/recognize-and-report-phishing
  5. Daniel Kelley. “MatrixPDF Puts Gmail Users at Risk with Malicious PDF Attachments.” Varonis, September 30, 2025, accessed June 2, 2026. https://www.varonis.com/blog/matrixpdf
Adobe Reader Infostealer Plagues Email Messages in Brazil
Business Email Compromise (BEC): Signs, Examples, and What to Do
Are AI Deepnude Sites Safe?
AggregatorHost.exe: Safe Microsoft Process or Malware?
North Korean Hackers Force US, Japan & South Korea Consultations
TAGGED:
Share This Article
ByStephanie Adlam
Follow:
Stephanie is our wordsmith, transforming technical research into engaging content that resonates with users. Her expertise in cybercrime prevention and online safety ensures that Gridinsoft's advice is accessible to everyone—whether they’re tech-savvy or not.
Previous Article BlackLotus UEFI bootkit Microsoft Told How to Detect the Installation of the BlackLotus UEFI Bootkit
Next Article Domino Uses Parts of Lizar Malware, Delivered by Dave Loader Domino Backdoor is Lead by FIN7 and Conti Actors
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?