Can a PDF have a virus? How to stay safe

PDFs are everywhere—invoices, resumes, e-books, tickets, reports. But here’s the thing: not every PDF is safe. Some are infected with malware that can quietly install spyware, steal your logins, or hijack your device. And the worst part? Many of these infections run silently in the background, so once you discover them, the damage has already been done.

Hackers love PDFs because they feel harmless. They slip through email filters, look legit, and many people don’t think twice before opening them. In fact, over 20% of all email-based threats use PDF attachments, making them the most common file type for delivering malware in phishing campaigns.

The good news? You can stay safe without being paranoid. This guide explains how infected PDFs work and what you can do to protect yourself.

Can PDFs contain viruses?

Yes—they can carry viruses and other malware. A PDF might look like just text and images, but it can include embedded scripts, links, or multimedia. That flexibility is exactly what attackers exploit to hide malicious code in otherwise harmless-looking files.

As mentioned earlier, people generally trust PDFs, and this makes them a go-to for attackers. They can be programmed to run JavaScript, launch hidden commands, or take advantage of bugs in your PDF reader to compromise your system. Some even use hidden or encrypted objects that are designed to dodge antivirus detection—lying dormant until the file is opened.

Common ways PDFs can get infected

Not all PDF malware looks suspicious. In fact, some malicious PDFs are designed to appear completely harmless: a scanned invoice, a job offer, an e-book, or even a boarding pass. But under the hood, here’s what attackers can embed:

• JavaScript-based attacks: Some PDFs have embedded JavaScript that runs as soon as you open the file. It can download malware, send you to a phishing site, or exploit bugs in your PDF reader.
• Embedded files or executables: Attackers can hide other files, like .exe or .bat scripts, inside a PDF. If you’re tricked into opening them, they can launch malware instantly.
• Exploit kits: PDFs can be designed to take advantage of known security flaws in outdated PDF readers. If your software isn’t updated, a malicious PDF can use that loophole to install trojans or spyware.
• Phishing links: Not all attacks rely on code. Some PDFs are simply used to display fake login forms or trick you into clicking on a link to a malware-hosting site.
• Social engineering: A PDF might not be malicious on its own, but it could prompt you to enable features like “macros” or “enhanced content.” These prompts usually show up when you open the file in a PDF reader like Adobe Acrobat—and accepting them can trigger the real attack.

Can a PDF infect your device without opening it?

This is where things get a little more nuanced. In most cases, a PDF can’t infect your device unless you open it. Just having the file sitting in your downloads folder isn’t usually enough to trigger an attack.

That said, there are exceptions. Some email apps and file explorers (like Mac Finder or Windows Explorer) auto-preview PDFs. If there’s a bug in the preview feature, it could trigger malicious code—no clicks needed. However, these “zero-click” attacks are rare and usually used in targeted spyware campaigns against high-profile individuals, not against everyday users.

In most situations, you need to open or interact with a malicious PDF to trigger the attack. But once the file is open, and if it’s been designed to exploit a vulnerability in your reader or system, things can deteriorate quickly.

What happens if you open a malicious PDF?

Opening a malicious PDF doesn’t always lead to something dramatic— it can hit quietly. What happens depends on what kind of malware is hidden inside and whether your system has vulnerabilities the file is designed to exploit.Here’s what a malicious PDF can do:

• Run a hidden script: Malicious PDFs can include JavaScript that runs the moment you open the file. These scripts can download malware, connect to remote servers, or quietly tamper with your system. Adobe has confirmed that PDFs can run hidden actions without the user knowing.
• Redirects to a phishing site: Some PDFs open a link the moment you click or interact with them. It might look like a login page, invoice portal, or something familiar—but it’s a trap to steal your credentials.
• Exploits a software vulnerability: If you’re using an outdated version of Adobe Reader, Foxit, or another PDF app, an infected file can exploit known bugs to run malicious code. That’s how many trojans and spyware tools slip in.
• It activates remote access tools: Some infected PDFs can install remote access tools, letting someone take control of your system. It’s more common in targeted attacks, but regular users aren’t completely immune.

Since most attacks leave no obvious signs, users often don’t realize their system was compromised—until it’s too late.

How to scan a PDF for viruses and malware

As mentioned above, a PDF doesn’t need to look suspicious to be dangerous. That’s why scanning one before opening it is always smart—especially if it came from an unknown sender, a sketchy email, or even a trusted contact whose account might’ve been hacked.

Note that scanning before opening is only an option if the document doesn’t have password protection—if it does, you’ll need to enter the password to unlock it and then scan it. If you’re really suspicious of a password-protected PDF and can’t confirm its legitimacy, it’s best to just delete it.

Here’s how to scan a PDF safely.

Step-by-step guide to checking a PDF before opening it

Step 1: Check the PDF’s metadata and sender details

Start with basic detective work. Look at:

• The sender’s email address: Look for misspellings or sketchy domains (e.g., invoice@secure-payments-12822.com).
• The file name: Generic names like document.pdf or resume_final.pdf are common in phishing.
• Metadata inside the file: You can view PDF metadata using tools like PDFinfo or ExifTool. Check for things like:
  • Missing author names or generic ones like “admin” or “user.”
  • Creation tools that don’t match the file’s purpose (e.g., a “resume” made with a PDF printer or unknown software).
  • Dates that don’t line up with when the file was sent.
  • Empty or suspicious fields (like a blank title or strange keywords).

In this example, the Producer field shows “Skia/PDF m136 Google Docs Renderer,” which makes sense because the file was created in Google Docs. But if you see metadata that doesn’t line up with where the file came from—like missing author info or an unusual creation tool—proceed with caution.

Step 2: Use an online PDF scanner for quick detection

There are several free online services that scan files using dozens of antivirus engines:

• VirusTotal
• Jotti’s Malware Scan
• MetaDefender Cloud

Upload the PDF to one of these platforms—they scan files for known malware and flag anything suspicious. Never open the file before scanning, and don’t drag it straight from your email (in Chrome, it’s easy to drag it in a way that accidentally opens it). Download it first to stay safe.

Step 3: Scan the PDF locally with antivirus software

If you already use antivirus software (and you should), scan the file manually before opening it:

• Right-click the file and choose “Scan with (Your Antivirus).”
• Check the scan report—and even if the scan says it’s clean, stay cautious. Some malware can evade detection, so if the file has other red flags, don’t open it.

Antivirus tools are more likely to catch PDF threats if the malware uses known attack methods or includes detectable harmful content.

What to do if your PDF scanner detects a virus

Your scanner flags a PDF. Now what? If the scan says it’s infected, don’t open it—just delete it. But if you already did open it and your scanner confirms it’s harmful, stop using the file right away. A lot of malware doesn’t make a big scene—it just runs quietly in the background, doing damage while everything looks normal.

Here’s how to handle it without making things worse.

Steps to take after a positive virus scan

How to safely delete or quarantine a malicious PDF

Most antivirus tools let you quarantine the file—use that if available. Otherwise, delete it immediately and empty your trash. Don’t open it or stash it “just in case.”

Quick checklist:

• Didn’t open it? Good.
• Didn’t share it or forward it? Even better.
• Not hiding in your cloud folders or synced backups? Double-check.

Run a full system scan—just in case other threats made it through. Even if you didn’t open the file, it’s smart to check for anything else that might have somehow infiltrated your system.

How to protect yourself from malicious PDFs

The best defense? Don’t open suspicious PDFs. That’s easier said than done, but a few smart habits can go a long way. You don’t need to be a cybersecurity expert; you just need to be skeptical and keep your security settings optimized.

Avoid downloading PDFs from unknown sources

This is where most people slip up—a random email, a “free” template, a leaked document.

If you don’t know the source, skip the download. Even clean-looking PDFs can carry malware. They don’t raise red flags the way executable (.exe) files do for most users.

Always verify PDF senders

Got a PDF in your inbox? Before opening it, ask yourself:

• Do I know this person?
• Is the email legit (no strange characters or domains)?
• Was I expecting this file?

If something feels off, don’t open it—even if it came from someone you know. Their account might’ve been hacked, and it’s better to check and be safe than find out it was a trap.

Disable JavaScript in your PDF reader

Most people don’t know PDFs can even run scripts, but they can. And attackers like to exploit that. JavaScript powers forms and interactivity—but it’s also behind many of the nastiest PDF attacks. If you don’t need those features (and most of us don’t), turning off JavaScript is one of the simplest ways to protect yourself.

Here’s how to tweak the settings in two of the most popular readers: Adobe Acrobat and Foxit. Note that if you’re opening the PDF in Chrome’s default viewer, there’s no way to disable JavaScript—but as Chrome only allows very basic JavaScript functions and uses a sandbox, it’s still pretty safe.

In Adobe Acrobat Reader:

1. Go to Edit > Preferences.
2. Select JavaScript, then uncheck Enable Acrobat JavaScript.

For Foxit Reader:

1. Go to File > Preferences.
2. Then select JavaScript and uncheck Enable JavaScript Actions.

Why JavaScript in PDFs is a security risk

JavaScript in a browser runs inside a sandbox—which means there are restrictions on its permissions. And modern PDF readers have two JavaScript contexts, privileged and unprivileged, with PDFs only having access to the unprivileged one. This usually stops the PDF file from making harmful changes

However, in some PDF readers, especially older ones, there are vulnerabilities that let harmful scripts run unrestricted and damage your system.

JavaScript can be used to:

• Execute malicious code as soon as the document is opened, often without your knowledge.
• Steal data, install malware, or manipulate files on your system if opened in a vulnerable reader.
• Bypass detection by hiding or obfuscating code, making it harder for antivirus tools to flag it.

Attackers take advantage of these capabilities to craft PDFs that look harmless but act maliciously behind the scenes. And since different PDF readers handle JavaScript differently, some are more vulnerable than others.

That’s why disabling JavaScript is widely recommended—unless you really need it for things like interactive forms, digital signatures, or embedded media. If you’re not sure, just leave it off.

Keep your software and operating system updated

Keeping your software updated lowers the risk of a malicious PDF exploiting known vulnerabilities. Many attacks rely on old bugs in outdated PDF readers, browsers, or operating systems.

Turn on auto-updates if you haven’t already and install security patches as soon as they’re available. If you’re curious about protecting yourself beyond just updates, these free cybersecurity courses are a great way to strengthen your online safety skills.

How security patches prevent PDF exploits

Every time a new vulnerability is discovered, like one that lets PDFs execute malicious code, PDF software providers rush to release a fix. These fixes get pushed out in updates.

If you skip updates, your system stays vulnerable long after the document exploit becomes public. That’s when attackers go hunting for unpatched systems. Don’t be one of them.

How to report a malicious PDF

If you spot a suspicious or confirmed malicious PDF, don’t just delete it and move on. Reporting it can help stop the spread—especially if it came through a public link, email, or a platform that others use.

Report a malicious PDF to Google Safe Browsing

If the file came from a link—say, from a website or Google Drive—you can report the URL to Google Safe Browsing. This helps Google warn other users who might click that link later.

To do this:

1. Go to Google Safe Browsing Report and paste the suspicious URL (not the file itself—just the link to it).
2. Check the “I’m not a robot” box.
3. Select a reason under Category.
4. Add context if you have it—what the link pretended to be, where you found it, etc.
5. Click Submit Report.

If enough people report the same link, Google can block it in Chrome and other browsers that use Safe Browsing protection.

Send a PDF virus sample to your antivirus provider

Antivirus companies rely on user reports to improve their detection systems. If a file was flagged (or slipped through), send it to your provider so they can analyze it.

Just follow their upload instructions. Some ask for a zipped version of the file with a password like “infected” or “virus” (don’t open it yourself—just upload it). If the file wasn’t flagged, submitting it helps improve detection for others.

Security tools often rely on shared threat databases. When you upload a malicious file, it helps vendors strengthen their detection engines and flag similar threats faster in future scans. And if your antivirus didn’t catch it, your submission might alert others to something new that’s slipping through defenses.

Are PDFs commonly used in phishing attacks?

Yes—PDFs are perfect for phishing. They look harmless, people trust them, and they slip past filters that catch more obvious threats.

If you’ve ever gotten a file labeled “invoice,” “payment,” or “urgent,” and it came out of nowhere, it was probably a phishing attempt.

Signs that a PDF is a phishing attempt

A lot of phishing PDFs look pretty convincing. But here are a few things to watch for:

• Generic, vague titles: Names like “Important Info” or “Statement_2024.pdf” are designed to make you panic and click.
• Unexpected senders: Often, phishing PDFs claim to be from banks, delivery companies, or HR.
• Login pages inside the PDF: Legitimate files rarely ask for credentials.
• Links that lead somewhere strange: Hover over any links before clicking. If they go to a weird URL or just don’t match the company it claims to be from, that’s a red flag.
• Spelling mistakes or weird formatting: A lot of phishing PDFs have typos and mistakes. This can be a deliberate tactic to ensure only the most vulnerable people will mistake it for legitimate, and those are the same people who are less likely to report it or pursue damages.

Steps to take if you receive a suspicious PDF

If a PDF feels off, even slightly, here’s what to do:

1. Scan it first: Use a trusted online scanner (like VirusTotal) to check the file before opening it.
2. If it’s flagged, delete it: Don’t open it—not even to check. Just delete it immediately.
3. Verify with the sender if it came from someone you know: But don’t reply to the same email. Contact them through a new email or another trusted platform.
4. Report it if it came through email: Most email providers have a phishing report option.
5. Delete it: Don’t keep it “just in case.”

How to prevent phishing PDF attacks

It’s not just about spotting them—it’s about making yourself harder to target in the first place:

• Use strong spam filters with phishing protection. Most email apps have built-in filters. Check your settings to enable advanced filtering or safe sender lists (work accounts may have extra protection managed by IT).
• Don’t open unexpected attachments, even if they seem legit.
• Turn off JavaScript in your PDF reader.
• Slow down—phishing works because it pressures you to act fast.

And if you want to get better at spotting phishing in general, ExpressVPN has a helpful guide on phishing red flags that’s worth bookmarking.

Want to stay sharp? Check out 10 common scams you should know about — including phishing and other tricks to watch for. Need the bigger picture? This quick guide explains what cybersecurity is and why it matters.

What to do if you open a suspicious PDF

You clicked a PDF that seemed legit—but now you’re not sure. Don’t panic. If you act fast, you can usually stop things from getting worse.

Immediate steps to take after opening a malicious PDF

1. Disconnect from the internet: If the file triggered anything shady, cutting the connection stops it from sending data out. Turn off Wi-Fi or unplug your cable immediately.
2. Back up your important files: If things go sideways, you’ll want a clean copy of your data. Save your files to an external drive or cloud storage, especially anything personal or work-related.
3. Run a full malware scan: Use your antivirus to do a deep system scan. This helps catch any hidden spyware or trojans.
4. Change your passwords: If you entered credentials, update them fast. Use strong, unique passwords and store them securely with a password manager like ExpressVPN Keys.
5. Watch your identity: If you shared personal details, consider placing a fraud alert with a credit bureau. It’s free and adds a layer of protection if someone tries to open accounts in your name. In the U.S., contacting one (Experian, TransUnion, or Equifax) is enough. They’ll notify the others. And for extra protection going forward, tools like ExpressVPN Identity Defender can monitor for data leaks and help you respond quickly. If you’re outside the U.S., check your country’s consumer protection agency or national credit reporting services—many offer similar fraud alert systems or credit freezes.

Opened a malicious PDF on your phone? Here’s how to remove malware on Android.