I casually mentioned to a friend one day that you “could not, of course, trust PDFs”, and they were surprised.
I was surprised that they were surprised. Apparently, this is not as commonly understood as I had thought, so maybe it deserves a few words on the subject.
TLDR: PDFs are not safe. Get a good virus scanner and hope for the best. DARPA is trying to make it better. There are a few things you can do in the meantime.PDFs are Not Safe
I download a lot of PDFs (files in the Portable Document Format), for research or other reading. They are a staple for sharing and archiving information. Every now and then, I recall that PDFs are not 100% safe, and hope that my antivirus can handle any issues. A PDF can contain viruses and other malware, so you should scan them.
There is an easy way and a hard way that Hackers can make a PDF into a vector for attacking you. The hard way is to have the PDF trigger a vulnerability in some PDF reader, and this can be done for Adobe, any free reader that you downloaded, or any browser with the ability to read PDFs (all of them). Any software that can read a PDF can have a vulnerability, but hackers will mostly target the most common PDF readers, like Adobe and common Browsers. There is little percentage in attacking operating systems or apps that 1 in 1000 users will ever run.
The easy way to use a PDF to attack systems is to just build in some Javascript, into the PDF. This script can be run when you open the file, or when you click on something within the file. This takes advantage of the fact that Javascript is intended to be used inside PDFs to make them more functional!
But this embedded Javascript can be written to do malicious things. For example, it could download other things like trojans or viruses from somewhere else on the Internet, or it could drop some file that it already contains (probably encrypted so your antivirus software won’t see it), onto your system and then run it. Or Javascript can reach out to some Internet site and send data and files from your computer to that malicious site (or tiktok, or Signal, or Telegram bot, or other Internet services), and violate your privacy, and it can do this without your permission.
To make this worse, your outbound firewall most likely allows outbound connections to web servers on the Internet (otherwise, you couldn’t browse the Internet). You can read more about this kind of thing here, but really the impact is limited only by the malicious programmer’s imagination.
I think the main issue here is that many people do not think of PDFs as potentially dangerous. It’s just a text file, right?
But it’s not just a text file. That is my point. The PDF is read and if it contains Javascript, your PDF reader can execute that. That Javascript is code that is often something that an unknown programmer has crafted, and it can do anything he can imagine.
And now that you are informed, you are a bit safer.
What Can I Do?
Hopefully, I’ve made you a bit paranoid, and you are asking what you should or can do about this.
1.Get an antivirus software and keep it updated. Don’t tell yourself that iPhones never get infected, so I’m safe, and don’t need to do that. Scan your PDFs that you download, or allow your antivirus to do this.
2.Turn off Javascript. I have a browser extension that lets me toggle this on and off easily. But many web sites do not display correctly with Javascript off. Nevertheless, if you are going into a bad part of town (like a hacker site) then it might be prudent.
That said, it’s hard to live with Javascript turned off. I was rather amused by this advice, warning about a pretty bad vulnerability in Adobe reader on July 2, 2025.
Users were advised that Disabling JavaScript may prevent this vulnerability (CVE-2025-6554) from being exploited. They even told you how to do this: Acrobat JavaScript can be disabled in the General preferences dialog (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript). Then they said that this will not block the vulnerability, just prevent the most common way that it can be triggered. [3] This kind of change to each of your PDF reading apps, can be a lot of work, for a little extra security. Recall that every browser, every PDF reader, many Microsoft office tools on every one of your systems, can all read PDFs. In my humble opinion, Javascript should be OFF by default.
3. Disable automatic display of PDFs in browsers. Every browser is different and that is a painful idea. But you can use some off brand PDF reader, and disable the ‘common’ or ‘normal’ readers (like your browsers and Adobe), and that will give you some better-than-normal protection.
In another important case, for a spreading Chrome attack, users were advised to disable Javascript, until they could patch. [3] But note that this was initially a ‘zero day’ vulnerability (meaning that the vendor didn’t even know about the flaw, so had 0 days to make a fix). So hackers were using this attack on the Internet long before the vendor found out about it. ***
4.Flatten PDFs and remove Javascript and Flash scripts. You could use something like this:
gs -dNOPAUSE -sDEVICE=pdfwrite -sOUTPUTFILE=flattened.pdf raw.pdf This would help, but there could still be malware embedded in the images, even in the flattened PDF. So you probably need to ‘downsample’ the images to mess up any offsets. “Downsampling” will likely alter the offset of any malware embedded there, or render it buggy and likely non-functional. [5] Or you could display the document in a virtualized environment, then take an image copy of the display and use that, making it safer but losing your ability to search/use it as text.
For the tech-savy, there are tools like Ghostscript, Postscript, etc to flatten PDF files and this removes most malware. There are editors, online services, and tools to convert PDFs to Microsoft Word docs. [5][6]
5.Print them out in a safe or temporary environment (think Virtual Machine or docker container). Then scan them into a new PDF with your HP printer and put them on a storage keyfob or email them to yourself. This works, but it may not be worth the effort to set this up.
6.You could review this for more ideas, such as “Don’t open PDFs from untrusted sources.” [7] Most methods require some computer expertise and are more work than they are worth. I suggest you evaluate things by this criteria: Is the benefit worth the effort?
HOPE
The situation is actually worse than I have described. Now that I’ve depressed you, I will point out some hope. The problem has gotten bad enough, that DARPA (Defense Advanced Research Projects Agency) has engaged with the PDF standards people to make a more secure PDF standard. [8] They showed up at DEFCON32 to promote the idea and ask for feedback. We can hope this will result in better basic security for PDFs. For now, you are stuck with virus scanning, avoid untrusted sources, and the clumsy methods that I have outlined.
Q&A
People always ask, “Why not just remove Javascript,Flash,etc from PDF files?”. And I agree, that for most purposes that makes sense. But the standard allows them. The vendor promotes them as cool features. And users fall for this, to make their documents slick and cool, for presentations.
References
[1] example heap overflow https://blog.exodusintel.com/2021/10/04/analysis-of-a-heap-buffer-overflow-vulnerability-in-adobe-acrobat-reader-dc-2/
[2] https://www.kb.cert.org/vuls/id/905281/
[3] https://www.techrepublic.com/article/news-google-chrome-emergency-update-zero-day-flaw/
[4] Prevent IE for automatically displaying PDFs https://www.kb.cert.org/vuls/id/905281/
[5] https://security.stackexchange.com/questions/103323/effectiveness-of-flattening-a-pdf-to-remove-malware
[6] https://github.com/Kerbalnut/Sanitize-PDF/blob/master/README.md
[7] https://www.kb.cert.org/vuls/id/905281/
[8] https://www.darpa.mil/news/2023/safedocs
*** What is a zero day or 0day?
Bugs in software exist that can be used to attack or control a system. People discover these, report them, and then the vendors fix them. But before the vendor hears about it, hackers discover it and use it to attack systems. This time period, means that the vendors have 0 days to fix it. And system administrators (that's you for your laptop) have 0 days to patch it. You are vulnerable during this time period - there is no patch available. You may have firewalls, virus scanners, and such. But there is no patch to fix it.
This time period is sometimes YEARS, and during that time, hackers and nation states can use these 0day bugs to attack systems successfully. In fact, many believe that nation states collect these 0-day-vulnerabilities. They are valuable commodities in the Cyberware arena, and are hoarded or traded like cash. Once used, they can be detected by Cybersec groups, and reported. At that point, they lose value rapidly.