Can a PDF Have a Virus? Yes — Here's How It Actually Happens
How malware hides inside PDF files, how to tell if a PDF is dangerous, and how to open a suspicious one without infecting your computer.
Yes. A PDF can absolutely carry malware, and it's been one of the most popular delivery vehicles for it for about two decades. That's the short answer. The longer answer is more reassuring: simply having a malicious PDF on your disk usually does nothing, modern readers have gotten much harder to exploit, and a few sensible habits reduce the risk to nearly zero. Here's how the attacks actually work and what to do with a PDF you don't trust.
How malware hides in a PDF
A PDF isn't just a picture of a page. The format allows executable ingredients, and each one is an opening:
- JavaScript. PDFs can contain scripts, originally meant for form validation. Attackers use them to trigger exploits in the reader or to phone home. This is the classic vector.
- Embedded files. A PDF can carry other files inside it, including executables. The PDF is the envelope; the payload is inside.
- Reader exploits. Malformed fonts, images, or structures crafted to crash the PDF reader in a controlled way and run code. These need an unpatched reader, which is why updates matter more than anything else on this list.
- Plain old phishing links. The most common one today, honestly. The PDF itself is harmless: an invoice or delivery notice with a big blue button that leads to a credential-stealing site. No exploit needed; you click, the browser does the rest.
Can you get a virus just by opening a PDF?
Opening is the moment of risk, yes — but with a patched, modern reader, a drive-by infection from merely opening a file is rare. Browsers (Chrome, Edge, Firefox all open PDFs) render them in a sandbox with JavaScript support that is limited or off, which is why "open it in the browser" is the standard advice for anything sketchy. Downloading a PDF without opening it does essentially nothing; the file has to be parsed by a reader before any of its tricks can run.
The realistic ways people actually get burned, in order: clicking a phishing link inside the PDF, being months behind on reader updates, and opening the "attachment" that turned out to be invoice.pdf.exe — which is not a PDF at all, just an executable wearing a costume. Windows hides extensions by default, which makes that costume work. Turn extensions on.
How to handle a PDF you don't trust
- Consider the source, not the file. An unexpected invoice, a résumé you never asked for, a "package delivery" notice: the sender story is the red flag, not anything about the file.
- Open it in the browser first. Drag it into Chrome or Firefox rather than double-clicking. Sandboxed, minimal scripting, good enough to read it.
- Scan it. Your antivirus can check the file, and VirusTotal will run it past dozens of engines. One caveat: anything you submit to VirusTotal becomes available to security researchers, so don't upload confidential documents to it.
- Don't click links inside it. If a PDF wants you to "verify your account," go to the site yourself in a new tab.
- Keep your reader updated. Nearly every real PDF exploit in circulation targets a vulnerability that was patched long ago.
Cleaning a PDF: remove the dangerous parts, keep the document
Sometimes you need to keep working with a file you don't fully trust — a contract from a new client, a form from who-knows-where. You can strip out everything executable and keep the pages.
Our sanitize tool removes JavaScript, embedded files, external links, and hidden data from a PDF — and it does it entirely in your browser. The file never uploads to us or anyone else, which is precisely what you want when the document is both suspicious and confidential. Uploading a sensitive contract to a random scanning service just to check it for malware is trading one risk for another.
Can a PDF infect your phone?
iOS and Android render PDFs in tightly sandboxed viewers, and a PDF-borne infection of a patched phone is genuinely exotic. The phishing-link problem, though, works exactly as well on a phone as anywhere else — arguably better, because mobile browsers hide the URL.
The bottom line
Treat PDFs like email attachments generally: the danger correlates with the sender, not the file type. Patched reader, browser-first for anything unexpected, no clicking embedded links, and sanitize anything you need to keep but don't fully trust. That covers the actual attack surface.