Hackers and malware developers are always changing their tactics to try to stay one step ahead of everyone else. Consequently, no file format can be considered 100% safe. If it isn’t dangerous now, it may be tomorrow or next month. A PDF virus is just one example.
In this article, we’ll show you how a PDF can contain a virus and what to do if you think you’ve accidentally clicked on one.
So, can a PDF have a virus?
Yes, a PDF file can have malicious scripts or links embedded into it. These can activate and install all sorts of malware and exploits on your device when you open the PDF file or click on any of the links in it.
Adobe Acrobat could have a vulnerability
No software program is immune to security vulnerabilities. If someone who wants to spread a PDF virus finds a vulnerability in Adobe Acrobat to help them do it, then it’s a walk in the park.
Many users have Adobe Acrobat installed on their computers. But how many of them fail to keep the program updated with the latest security patches?
The PDF file could contain hidden malicious code
Once the PDF file has been opened, embedded code such as JavaScript will start working. This could be used to trigger a malware download to your device, such as spyware to steal your data or a remote access trojan to corrupt files and damage your machine.
You could also be tricked into downloading a fake Adobe Acrobat update or installer file.
Could opening a PDF be dangerous?
Can a PDF be malicious to open? The short answer is yes. Just like a Microsoft Word file, a PDF can be used to conceal and transmit malware by means of an email attachment or a download link on a website.
What makes PDF files such an effective tool for hackers is that they are used for so many applications — invoices, contracts, bills, and various other documents used every day for work and home life.
In other words, if you’re already getting legitimate PDFs from trusted people like your boss, you may instinctively open a malware-infected PDF file named “payslip January 2026” without thinking about it.
Warning signs a PDF file contains malware
We’ve already discussed that PDFs can contain malware. But how do you recognize a malicious file, and what warning signs should you look for? Here are some red flags that should make you stop and think.
You got the file from a stranger
Did you receive the PDF from someone you know and trust? Or was it a complete stranger? You should not open anything from people you don’t know.
Even if the file came from someone you do know, like your boss, you should still check with them first.
The file has a nonsensical file name
Which sounds more credible to you? Invoice2025.pdf or ZhG9L#1FG.pdf?
If a file has a crazy name to it, it’s more likely to be malware, and thus, it shouldn’t be opened. A legitimate PDF is going to have a proper name.
You found the PDF file in your email spam folder
Before you pull emails out of your spam folder, consider why they might be there.
Other users may have flagged the sender as spreading spam, or your email service may have scanned the PDF attachment and determined it to be suspicious.
You’re urged to open the PDF immediately
Hackers and virus spreaders want you to act immediately on impulse. For them, the less time you have to think about it, the better.
Therefore, if you get an email message urging you to open a PDF file immediately, stop. Why is it so urgent that you need to open it now?
The PDF comes with no accompanying explanation
If someone sends you a PDF file, the usual modus operandi is to also send an accompanying message. This could be a simple request, such as, “Please review and return at your earliest convenience,” or a more detailed explanation of what the file is all about.
If the PDF comes in a blank email, don’t open it. If you know the recipient, ask for an explanation about the file. If it comes from a stranger, delete it.
The PDF immediately asks you to download something
The PDF, in this scenario, is essentially a malware delivery system. The attacker sending the file to you needs to get you to take action to load malware on your system. This is usually done by getting you to open the file, which triggers embedded code.
If you get a pop-up box asking you to download an update, a new version of Adobe Acrobat, or any add-ons, don’t do it. Scan the PDF file immediately for signs of malware.
How to check a PDF for viruses before opening
Just because PDF viruses are well-hidden doesn’t mean you can’t protect yourself from them. In fact, there are many ways you can check a PDF for viruses before opening it, such as:
- Checking for embedded JavaScript: Use a PDF parser to check the file for auto-launch actions, JavaScript, or embedded files. These are usually signs that the file has been tampered with to include malicious code.
- Extracting the file hash: You can run the file hash against any database of known threats to check if it’s associated with any known malware campaigns.
- Checking the sender’s address: If it’s an email attachment, make sure it’s from an address you trust. Many phishing schemes rely on users quickly opening files without checking the rest of the email for signs of a scam.
- Disabling scripts and macros: Turn off all automated actions, scripts, and macros to prevent any hidden code from executing if the PDF turns out to be infected.
- Previewing instead of opening: Use your email or file manager to get a peek into the PDF before fully opening it. This will give you the chance to verify the layout and some of the file’s information.
Scan a PDF for viruses and get rid of any malware
You won’t always be able to tell if a PDF file contains malware. While the source, name, or general structure of the file can help you make an educated guess as to the safety of the file, your best option is to rely on an antivirus to scan the file for you.
Antivirus and anti-malware software is capable of detecting countless types of malware by comparing the suspicious elements of the PDF file against a database of known threats. And the best part? You don’t even need to have an antivirus installed on your Mac to do this. Online tools like VirusTotal let you scan suspicious PDF files online and give results you can trust in no time.
From your internet browser, go to the VirusTotal website and select the tab for FILE. Then, click “Choose file” and select the suspicious PDF file from your device. Finally, click “Confirm upload.” VirusTotal will proceed to scan and analyze the contents of the file, comparing it with dozens of known threats from reputable security vendors and giving it a safety score — similar to how any trusted PDF virus scanner works.
What to do if you open a suspicious PDF on your Mac or iPhone
So, you’ve accidentally opened a PDF file that likely contains a virus. What now — apart from immediately deleting the file?
Use Moonlock to scan for malware and viruses
If the VirusTotal scan came back positive and you’ve already had the PDF file on your device, then the virus may have already taken root. Sign up for a free trial of Moonlock to run a comprehensive scan and fully remove the virus from your Mac.
Here’s how you do it:
- Open Moonlock, then navigate to the Malware Scanner tab from the left sidebar.
- From the drop-down menu, you can choose between Quick, Balanced, and Deep Scan. We recommend opting for a Deep scan to allow Moonlock to scan all files on your Mac.
- Click Scan.
Moonlock will search your device for all threats, new and old. As soon as it finds the PDF virus, it’ll capture it and lock it up in Quarantine, preventing it from further interacting with your files. Once the scan is complete, Moonlock will list all threats it has found and allow you to fully and safely remove them from your Mac with the click of a button.
Update your machine
Now check for system updates on your Mac by going to the Apple menu > System Settings > General > Software Update. Immediately install any available patches and restart your computer.
Disconnect your internet
Malware requires an internet connection to connect to the mothership and transfer your data. The very first thing you need to do is cut that connection.
Consider wiping and resetting your device
Another option, albeit an extreme one, is to wipe and completely reset your Mac to factory settings.
Modern Macs with M-series chips make wiping and resetting a very fast and easy process. Just be sure you have a backup of all your files.
Change the passwords on all your important accounts
Once your computer is back on, it’s time to take some precautionary measures. Identify your most important and sensitive accounts and change the passwords. This should include:
- Social media
- Online banking
- Work accounts (such as Slack, Microsoft Teams, and your company intranet)
Also, enable 2-factor authentication if it isn’t already turned on.
In general, you should monitor all your important accounts more closely for any unusual activity for a while.
FAQ: PDF malware risks and how infections happen
Your best weapon against PDF viruses and malware is understanding where they come from and how they work.
The answer to this depends on the type of exploit embedded in the PDF. If it’s just a malicious link, then opening the file won’t trigger it; this only happens when you click on it. However, some scripts can auto-execute to take advantage of known vulnerabilities in your PDF reader, allowing them to run without sounding the alarm.
Usually, no. That’s the case for most infected PDFs. However, there’s a slight chance the PDF has been infected with a zero-click exploit that doesn’t require you to take any actions. Keeping your OS and software up-to-date and scanning files before downloading them can help mitigate this risk. In some instances, simply deleting the PDF file isn’t enough, and you’ll need to use an antivirus to fully remove malware from your device.
The risk of this happening on your iPhone ranges from very low to virtually nonexistent. iOS keeps apps in isolation, preventing them from communicating with each other without explicit admin permission. Not to mention, most PDF malware targets desktop devices and is rarely made with iOS in mind.
Attackers mostly rely on phishing schemes to spread infected PDF files. This can mean anything from emails to social media posts urging users to download files or click links. In some instances, they can use the compromised email addresses and social media accounts of real people to target individuals directly related to them with a higher success rate.
If you aren’t trained in malware analysis, just delete the file. It’s important that you minimize your risk of infection by being cautious around suspicious files, treating them as infected until proven otherwise.
How to protect your Mac from malicious PDFs and malware threats
Once the malware is gone, the last thing you want is a repeat performance. Here are some golden rules to help you avoid any malicious PDFs in the future.
Never download PDF files from people you don’t know or trust
Frankly, this applies to all download links and files. If you don’t know the sender, don’t open it. And even if you do know the sender, nobody is going to complain if you’re cautious and double-check that the file is really from them.
Run regular malware scans
The best way to keep your device safe from all sorts of malware is to run regular scans and use a continuous monitoring security solution.
When you sign up for a free trial of Moonlock, you’ll get access to the built-in real-time protection feature, which keeps an eye on device activity and scans all new files as soon as they’re on your Mac. To enable this feature, open Moonlock, then click Explore from the Home page. From the right-hand sidebar, under real-time protection, click on Options.
A new window with additional security settings will pop up. Under “Continuous monitoring,” tick the box “Turn on real-time protection.” Now, if Moonlock detects any malware, adware, or spyware, it’ll immediately act to neutralize it and alert you of the threat.
Don’t click on links inside PDFs if prompted
PDFs have clickable links inside them, which can be convenient. But they can also hide nasty gremlins like malware.
In general, try to avoid clicking embedded links inside PDF files. But if you have to, mouse over the link first to see where it leads.
Be wary of PDFs that ask for too much personal information
No legitimate PDF is going to ask you for personal data like your credit card number, social security number, passwords, and so forth. If you get questions like that, close and delete the file.
Use Mac Preview Instead of Adobe Acrobat
If you’re using a Mac, consider uninstalling and not using Adobe Acrobat. A safer option is to use the Preview app in Finder.
The advantage here is that you won’t be susceptible to any Adobe Acrobat vulnerabilities. Plus, if you get a pop-up box telling you that Adobe Acrobat is corrupted and you don’t have the software in the first place, that’s a clear red flag.
Last of all, the Preview app can be considered safe because all updates come directly from Apple’s macOS updates.
PDF viruses are just one of many tactics that malware developers and hackers use to try to stay one step ahead of cybersecurity experts like the team at Moonlock.
Attackers who embed viruses inside files such as PDFs hope to ensnare as many victims as possible before antivirus software can catch them. Fortunately, by employing some common sense techniques, you can avoid downloading these viruses, denying the criminals another victim.
This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. Mac and macOS are trademarks of Apple Inc. Adobe Acrobat is a trademark of Adobe Systems Incorporated.
