Can PDFs have viruses? How to keep your devices safe

Can a PDF have a virus?

It’s possible for a PDF to contain a virus. While the file itself is just a document, attackers can embed infected code, scripts, or links that activate once the file is opened or interacted with. Infected PDFs may install malware, steal data, or grant remote access to your device without your knowledge.

These threats often hide behind ordinary-looking documents shared through email, messaging apps, or unverified download links, which is why they should never be opened blindly.

How can PDFs contain viruses?

Hackers can manipulate the professional appearance of PDF documents to harm devices with various viruses. Additionally, PDFs can be easily used for phishing campaigns when sending Word or Excel files seems less natural. For instance, PDFs are more commonly used for invoices or documents that contain payment information.

The actual danger, however, lies in the PDF format’s features. These files can include clickable URLs, embedded files, and JavaScript. The latter code additions can be used to customize PDF files. However, they also open doors for structures triggering malicious behavior.

Are PDF files commonly used in malicious campaigns?

PDFs are frequently used in malware campaigns. The familiarity and a sense of safety PDFs engender in recipients do the trick of convincing phishing targets to download and open them. Researchers have reported multiple malware examples exploiting PDFs:

• A Java-based remote access trojan (RAT) named StrRAT used infected PDF files to spread malicious software, including scareware. In this campaign, the PDFs downloaded additional payloads that displayed fake security alerts and attempted to steal stored passwords and banking information.
• A keylogger called Snake spread through phishing emails that included infected PDF attachments. Once opened, these PDFs contained embedded Word documents that executed malicious code to install the keylogger and record victims’ keystrokes.
• A North Korean cybercrime group known as Lazarus launched email campaigns targeting macOS users with infected PDF files posing as cryptocurrency job offers.

Cybercriminals continue to use PDFs because this type of file can easily bypass filters and blend into everyday communication. With many people working remotely and sharing documents online, this simple format remains a convenient tool for delivering malware.

What damage can PDF viruses do?

The consequences of downloading and opening a PDF file depend on the type of infection it may spread. Generally, opening a malicious PDF file can initiate any kind of behavior set up by hackers.

However, the most common attacks involve stealing information such as login credentials or financial data. In some cases, the malware inside a PDF creates a backdoor that lets hackers install additional threats on the device. As a result, a single infected PDF file can lead to serious consequences, from data theft to a ransomware attack.

Signs of a malicious PDF

Malicious PDFs can look almost identical to legitimate ones — that’s what makes them dangerous. However, certain signs can reveal hidden threats before you open or interact with the file:

• Unexpected pop-ups or alerts. If your PDF reader shows sudden warnings or prompts you to enable extra features, it may indicate a script trying to execute code in the background.
• Unusual file behavior. Slow loading, crashes, or system activity spikes after you open a document can signal that hidden processes are running on your device.
• Broken or mismatched digital signatures. A legitimate PDF often carries a clear, valid signature. If it’s broken, missing, or inconsistent with the sender, the file may have been tampered with.
• Executable files hidden inside. A PDF that contains or prompts you to download executable files (like .exe, .bat, or .scr) is a red flag — these can install malware or other harmful programs.
• Unexpected attachments or downloads. Be cautious of PDF attachments that open additional files or links without explanation. Attackers often use them to deliver malware.
• Hyperlinks leading to unfamiliar websites. Always hover over links before clicking. Malicious links often disguise themselves behind normal-looking text or buttons.
• Corrupted or invalid structure. A PDF that your reader struggles to open — or one flagged as having an “invalid file format” — may have been altered to hide malicious code.
• Suspicious forms requesting sensitive data. PDFs that ask for login details, payment info, or personal data may be phishing attempts. A reliable reader can sometimes flag such requests automatically.
• Tampering alerts from security tools. Good antivirus software or a vulnerability scanner can detect anomalies within the PDF format and warn you before damage occurs.

What types of threats can be found in PDF files?

PDF files can hide many types of malicious software, often disguised as harmless documents. Attackers exploit weaknesses in the PDF format to insert harmful code or attachments that activate once opened. Below are some of the most common threats found in malicious PDF files:

• Trojans. Deceptive programs embedded in PDF attachments can steal personal data, log keystrokes, or give attackers remote access to your device.
• Ransomware. Some PDFs contain scripts or hidden files that encrypt your documents and demand payment for decryption.
• Spyware and keyloggers. These tools silently monitor your activity and collect sensitive data, including passwords and financial details.
• Malicious JavaScript. Attackers can add harmful JavaScript to a PDF, exploiting security gaps in outdated readers to execute code or install malicious software automatically.
• Phishing links. Fake PDFs may contain links or forms that mimic legitimate websites, tricking users into entering personal or banking information.
• Embedded executables. Some PDF attachments hide executable files (.exe, .bat, or .scr) that launch once extracted, infecting the device and spreading further malware.

How to defend against malicious PDFs

Whether you’re using a computer, iPhone, or Android device, staying safe from PDF viruses requires caution and strong digital hygiene. Attackers often rely on human error — a moment of trust, a quick click, or an outdated app — to infect devices. If you suspect your phone might already be compromised, here’s how to know if you have a virus on your phone.

Fortunately, a few simple habits can reduce your exposure to malicious PDF files. By combining antivirus software, secure browsing habits, and built-in tools like a trusted PDF reader, you can prevent most attacks before they start. Below are practical steps to protect your data and devices from infected PDFs.

Do not download unknown PDF files

Due to the nature of PDF files, you can never know what activities such files can initiate. So make it a rule never to download unknown PDF files — random emails with PDF attachments could originate from malicious senders.

However, completely avoiding PDFs is not a realistic option because you’ll likely come across them quite often. It’s important to know how to check if a PDF file is safe before opening it.

Malware hidden within ebooks

Pirated ebooks are common bait hackers use to lure book lovers into their traps. While some distributors initiate scans or checks of uploaded content, ensuring foolproof safety is impossible.

Before downloading digital versions of books on your reading list, see whether your download violates copyright laws. Then, remember that criminals could taint ebook PDFs with malware and scripts, severely compromising devices.

Update your software

Vulnerabilities in PDF readers and other software can make it easier for PDF malware to infect your system. Keeping all programs updated reduces the chances of getting infected.

Disable JavaScript in PDF documents

Turning off JavaScript in PDF readers is one possible solution for dealing with code execution attacks. So if you download a PDF designed to run malicious scripts, this code should not be able to run. Of course, turning off JavaScript might not be a long-term solution because some trusted PDFs do rely on it to function properly.

Use a trustworthy PDF reader

Many PDF readers exist, but be sure to use one that comes from a trusted source and receives regular software updates to combat vulnerabilities.

PDF viruses could exploit software flaws to run malware, create backdoors, or steal data. A well-managed and updated application is much more resistant to such exploits.

Scan the file for malware

You can separate malicious PDFs from harmless files by scanning them with an antivirus program or a trusted online file checker.

However, file-scanning software does not always work as users would expect. Since it is possible to conceal PDF file components, scanners might miss certain red flags of malicious behavior. If you notice any signs of malware, use NordVPN’s malware scanner, which helps detect hidden threats before they reach your system.

Lastly, if you encounter a suspicious PDF file, it is better not to download it at all.

Use other cybersecurity tools

Besides just scanning your files, adding extra security measures can make a real difference. Tools like NordVPN’s vulnerability scanner help you identify outdated or risky software that hackers might exploit through infected files. 

Meanwhile, using a secure VPN encrypts your traffic and reduces exposure to malicious downloads or phishing attempts. 

Combining various cybersecurity tools gives you a stronger defense against online threats that can hide even in everyday documents.