{"id":8805,"date":"2025-10-06T12:00:00","date_gmt":"2025-10-06T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/?p=8805"},"modified":"2026-06-14T19:50:32","modified_gmt":"2026-06-14T16:50:32","slug":"beware-of-threats-lurking-in-booby-trapped-pdf-files","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2025\/10\/06\/beware-of-threats-lurking-in-booby-trapped-pdf-files\/","title":{"rendered":"Beware of threats lurking in booby-trapped PDF files"},"content":{"rendered":"<p>PDF files have become a staple of our daily digital lives, both at work and at home. They work seamlessly across operating systems and devices, and they couldn\u2019t be easier to create and share. Every day, countless PDF (Portable Document Format) files are exchanged across inboxes and messaging platforms, and chances are, you\u2019ve opened one today without a second thought.<\/p>\n<p>However, this all is also partly what makes PDFs the perfect disguise for all manner of threats. At first glance, PDF files seem about as benign as digital files get. To the naked eye, a malware-laced PDF or, indeed, another file type spreading under the guise of a PDF doesn\u2019t necessarily look much different from an ordinary invoice, resume or government form.<\/p>\n<p>Security researchers are seeing PDF files show up again and again as lures especially in mass social engineering campaigns, but also in <a href=\"https:\/\/attack.mitre.org\/techniques\/T1204\/002\/\">APT group operations<\/a> and even in <a href=\"https:\/\/www.welivesecurity.com\/2018\/05\/15\/tale-two-zero-days\/\">sophisticated zero-day attacks<\/a>. Recent ESET telemetry confirms that PDFs rank among the top file types abused in malicious campaigns.<\/p>\n<figure><img decoding=\"async\" alt=\"Figure 1. Top malicious email attachment types\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/10-25\/figure-1.png\" title=\"Figure 1. Top malicious email attachment types (source: ESET Threat Report H1 2025)\" width=\"\"><figcaption><em>Figure 1. Top malicious email attachment types (source: <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/threat-reports\/eset-threat-report-h12025.pdf#page=28\">ESET Threat Report H1 2025<\/a>)<\/em><\/figcaption><\/figure>\n<h2>A wolf in sheep\u2019s clothing<\/h2>\n<p>Booby-trapped PDFs typically arrive as email attachments or links in phishing messages that trick victims into taking action. As is common with social engineering campaigns, the lures are carefully crafted to spark emotion, such as urgency (think \u201cfinal notice\u201d), fear (\u201caccount suspended\u201d) or curiosity (\u201ctest results available\u201d). The end goal is to get you to <a href=\"https:\/\/www.welivesecurity.com\/2022\/05\/12\/10-reasons-why-we-fall-scams\/\">lower your guard<\/a> and using all manner of exhortations, such as \u201cpay now\u201d and \u201creview immediately\u201d, pressure you into opening a file or clicking a link.<\/p>\n<p>The attack techniques vary and have over the years included:<\/p>\n<ul type=\"disc\">\n<li><strong>Embedded scripts<\/strong> that run when the file opens, letting attackers launch various actions and deploy additional payloads. JavaScript in PDFs can perform legitimate tasks, such as creating interactive forms and automating processes, but it\u2019s <a href=\"https:\/\/helpx.adobe.com\/acrobat\/using\/javascripts-pdfs-security-risk.html#javascripts_in_pdfs_as_a_security_risk\">also abused<\/a> to download or execute code.<\/li>\n<li><strong>Hidden or malicious links:<\/strong> Links contained in the PDF can redirect you to credential-harvesting pages or <a href=\"https:\/\/www.welivesecurity.com\/2021\/07\/07\/bandidos-at-large-spying-campaign-latin-america\/\">prompt you to download<\/a> a malicious ZIP archive or executable.<\/li>\n<li><strong>Exploiting vulnerabilities in PDF readers:<\/strong> Malformed objects or specially crafted content can take advantage of bugs in vulnerable versions of common PDF readers and lead to code execution, as was the case with a software loophole affecting Adobe Reader and <a href=\"https:\/\/www.welivesecurity.com\/2018\/05\/15\/tale-two-zero-days\/#cve-2018-4990-rce-in-adobe-reader\">documented by ESET researchers<\/a>.<\/li>\n<li><strong>Files that only pose as PDFs <\/strong>and are instead scripts, executables or even malicious Microsoft Office files, among others, but their true file extensions may be hidden. While you may see a file called \u201cinvoice.pdf\u201d, clicking it actually launches an executable.<\/li>\n<\/ul>\n<p>Speaking of which, earlier this year we <a href=\"https:\/\/www.welivesecurity.com\/es\/estafas-enganos\/correos-falsos-suplantan-afip-troyano-bancario-grandoreiro\/\">wrote about a campaign<\/a> that distributed the Grandoreiro banking trojan and started with an email urging the victim to open a document, ostensibly in PDF format. In reality, it\u2019s a ZIP archive containing, among other things, a VBScript file that unleashes Grandoreiro on the device and ultimately gives criminals access to the victim\u2019s banking credentials.<\/p>\n<figure><img decoding=\"async\" alt=\"pdfs-malware-detectar-riesgo.afip\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/08-25\/pdfs-malware-detectar-riesgo.jpeg\" title=\"Figure 3. The site you\u2019re taken to after clicking on the link in Figure 2\" width=\"\"><figcaption><em>Figure 2. Phishing email impersonating an Argentinian government agency, complete with a link leading to what poses as a PDF file<\/em><\/figcaption><figcaption><\/figcaption><img decoding=\"async\" alt=\"pdfs-malware-detectar-riesgo\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/08-25\/pdfs-malware-detectar-riesgo-1.jpeg\" title=\"Figure 3. The site you\u2019re taken to after clicking on the link in Figure 2\" width=\"\"><\/figure>\n<figure><figcaption><em>Figure 3. The site you\u2019re taken to after clicking on the link in Figure 2<\/em><\/figcaption><\/figure>\n<h2>How to spot a suspicious PDF<\/h2>\n<p>So what are the red flags that should put you on high alert?<\/p>\n<ol type=\"disc\">\n<li><strong>The file has a misleading visible name or double extension.<\/strong> This is the case with names like invoice.pdf.exe or document.pdf.scr, especially where attackers cast their nets wide and intend to ensnare as many people as possible. These files actually aren\u2019t PDFs at all \u2013 they are just dressed up to look like PDFs.<\/li>\n<li><strong>The sender\u2019s email address or name doesn\u2019t match what the file says.<\/strong> The email sender\u2019s address is different from the organization that the document claims to be from, or the domain is misspelled or suspicious.<\/li>\n<li><strong>The PDF is compressed inside a ZIP or RAR archive.<\/strong> The PDF arrives inside a ZIP or RAR \u2013 that\u2019s in a bid to circumvent detection by email filters.<\/li>\n<li><strong>The entire message is unexpected or sounds \u201cout of context\u201d.<\/strong> Ask yourself: did I ask for this file? Do I know the sender? Does it make sense for them to send it to me?<\/li>\n<\/ol>\n<figure><img decoding=\"async\" alt=\"3_HSBC_themed_lure.png\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/04\/3_HSBC_themed_lure.png\" title=\"Figure 4. Fake job offer disguised as a PDF file (source: ESET Research)\" width=\"\"><figcaption><em><span lang=\"EN-US\">Figure 4. Fake job offer disguised as a PDF file (source: <\/span><\/em><a href=\"https:\/\/www.welivesecurity.com\/2023\/04\/20\/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\/#operation-dreamjob-with-a-linux-payload\"><em><span lang=\"EN-US\">ESET Research<\/span><\/em><\/a><em><span lang=\"EN-US\">)<\/span><\/em><\/figcaption><\/figure>\n<h2>What to do if you receive a suspicious PDF<\/h2>\n<p>If a PDF raises red flags, take these precautions:<\/p>\n<ol start=\"1\" type=\"1\">\n<li><strong>Resist the temptation to immediately download or open the file.<\/strong> The adage \u201cwhen in doubt, kick it out\u201d works here nicely.<\/li>\n<li><strong>Verify the sender and context.<\/strong> Before opening the potentially sketchy attachment, contact the sender by a separate communication channel, such as a phone call, to check that they have really sent it.<\/li>\n<li><strong>Check the file extension and size.<\/strong> Toggle \u201cshow file extensions\u201d or similar in your operating system and confirm the file is a real .pdf (not an .exe, for example) and that the file size seems plausible.<\/li>\n<li><strong>Scan the file <\/strong>with your security software (or alternatively, upload it to VirusTotal to get a quick first look).<\/li>\n<li><strong>Open with care.<\/strong> If you absolutely must open it and have taken the other precautions, use an up-to-date PDF viewer with sandboxing or a protected view feature enabled (such as Adobe\u2019s <a href=\"https:\/\/helpx.adobe.com\/reader\/using\/protected-mode-windows.html\">Protected View<\/a>).<\/li>\n<\/ol>\n<h2>What to do if you suspect you\u2019ve opened a sketchy PDF<\/h2>\n<ol start=\"1\" type=\"1\">\n<li><strong>Disconnect from the internet<\/strong> to reduce the chance of data exfiltration or further payload downloads.<\/li>\n<li><strong>Run a full computer scan<\/strong> with an updated security solution. If you don\u2019t have any, run a one-time check as available courtesy of <a href=\"https:\/\/www.eset.com\/us\/home\/online-scanner\/\">ESET\u2019s free scanner<\/a>.<\/li>\n<li><strong>Check running processes and network connections<\/strong> for anomalies. If you\u2019re not experienced, get a professional to investigate.<\/li>\n<li><strong>Change passwords<\/strong> especially for your financial and other valuable accounts, particularly where you suspect your credentials may have been stolen \u2013 but do so from a device other than the one where you downloaded the PDF.<\/li>\n<li><strong>Report<\/strong> the incident to your IT\/security team (in case you opened the file on your work machine).<\/li>\n<\/ol>\n<h2>Parting thoughts<\/h2>\n<p>These tried-and-tested rules will go a long way towards keeping you safe from dodgy PDFs:<\/p>\n<ul>\n<li>If you weren\u2019t expecting the file, don\u2019t open it, at least not without checking first that the file is legitimate.<\/li>\n<li>Educate yourself on how to <a href=\"https:\/\/www.welivesecurity.com\/en\/scams\/dear-all-what-are-some-common-subject-lines-in-phishing-emails\/\">recognize phishing scams<\/a>.<\/li>\n<li>As many attacks rely on known software vulnerabilities, keep your operating system and all other software, including PDF readers, <a href=\"https:\/\/www.welivesecurity.com\/2022\/10\/24\/5-reasons-keep-software-devices-up-to-date\/\">up-to-date<\/a>.<\/li>\n<li>Enable <a href=\"https:\/\/helpx.adobe.com\/reader\/using\/protected-mode-windows.html\">Protected View<\/a> or sandbox mode in your PDF reader of choice and consider adjusting or <a href=\"https:\/\/helpx.adobe.com\/acrobat\/using\/javascripts-pdfs-security-risk.html\">disabling your JavaScript settings<\/a> in it.<\/li>\n<li>Use reputable, multi-layered security software on all your devices.<\/li>\n<\/ul>\n<p>It\u2019s safe to say that cybercriminals will continue to exploit the trust we place in PDFs. The use of PDFs for malicious ends is also a reminder that security threats typically don\u2019t arrive wrapped in suspicious-looking files. The tried-and-true rule applies here, too: Treat every unexpected link and attachment with caution and rely on trusted tools to protect your data and devices.<\/p>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/en\/malware\/threats-lurking-pdf-files\/\" rel=\"nofollow noopener\" target=\"_blank\">Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Looks can be deceiving, so much so that the familiar icon could mask malware designed to steal your data and money.<\/p>\n","protected":false},"author":5,"featured_media":8806,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[147],"tags":[],"class_list":["post-8805","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybercrime"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8805","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=8805"}],"version-history":[{"count":1,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8805\/revisions"}],"predecessor-version":[{"id":9506,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8805\/revisions\/9506"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/8806"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=8805"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=8805"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=8805"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}