Viruses, also known as malware or malicious code, are a significant risk in today’s computing environment. There are billions of different types of viruses and over 560,000 new viruses are detected each day (source).

Cybercriminals use creative methods to deliver viruses to your computer, which brings us to this question: Can they use PDF files to accomplish that? In other words, can PDF files have viruses? 

The short answer is: yes! And PDF is a common modality of transmission for computer viruses.

I’m Aaron, a technology professional and enthusiast with 10+ years of working in cybersecurity and with technology. I’m an advocate for computer security and privacy. I keep abreast of cybersecurity developments so I can tell you how to stay safe on the internet. 

In this post, I’ll explain a little bit about how viruses work and how cybercriminals are delivering them via PDF files. I’ll also cover some of the things you can do to stay safe.

Key Takeaways

  • Viruses generally work by injecting malicious code into your computer or enabling remote access to your computer.
  • While a virus does not need to be located on your computer to work, it does need to have some ability to inject malicious code or operate on your computer. 
  • PDF files are a popular modality of injecting malicious code onto your computer because of the deep legitimate functionality it contains to enable rich digital documentation.
  • Your best defense is a good offense: know what a threat looks like and say “No.”

How Does a Virus Work?

Cybersecurity professionals have written literal volumes on this subject, not to mention thousands upon thousands of hours of training materials in existence worldwide. I’m not going to be able to do the subject justice here but want to highlight at a very simple level how viruses or malware work.

A computer virus is a program that does something unwanted on your computer: modifying expected functionality, providing external access to your information, and/or preventing your access to information. 

The virus does so in a couple of different ways: rewriting how your operating system (e.g. Windows) works, installing a program to your PC, or other modalities. 

Virus delivery takes many forms: inadvertently downloading malicious software, opening a document or PDF, visiting an infected website, or even looking at a picture.

What is common to all viruses is that they need a local presence. For a virus to impact your computer, it needs to be installed on your computer or on a device on the same network as your computer.

What Does This Have to Do With PDF Files?

PDF files are a kind of digital file that provides rich and feature-full digital documents. The key to providing those features is code and functions that enable those features. The code and functions run in the background and are invisible to the user. 

PDF exploits are well documented and are straightforward enough for a mildly sophisticated computer user to accomplish. 

While I’m not going to delve into how to accomplish those exploits, I will highlight that they work by taking advantage of the code and functions I described. They rely on the code and functions to deliver malicious code and run it in the background, unbeknownst to the user. 

Unfortunately, once you open the PDF file, it’s too late. Opening the PDF file is enough for the malware to deploy. You can’t just stop it by closing the PDF file either. 

So How Do I Protect Myself?

There are a few ways to protect yourself.

The most effective way to protect yourself is to stop, look, and think. PDF files with malicious contents are typically accompanied by an email demanding urgency with respect to the document. Some examples of this are: 

  • immediately due bills
  • threats of collections
  • threats of legal action

Cybercriminals prey on people’s fight or flight response to urgency. When looking at email that typically involves opening an attachment to see what’s going on. 

My recommendation when faced with that email? Turn off the computer screen, step away from the computer, and take a deep breath. While that seems like a dramatic response, what it does is removes you from the urgency—you’ve chosen flight over fight. Your mind and body are able to calm themselves and you’re able to process the urgency. 

After you’ve taken a few deep breaths, sit back down and turn on the monitor. Look at the email without opening the attachment. You’re going to want to look for:

  • misspellings or grammatical errors – are there a couple of are there a lot? If there are a lot, then it might not be legitimate. This isn’t dispositive but is a good clue in addition to others that the email is illegitimate. 
  • the sender’s email address – is it from a legitimate business address, someone’s personal email, or is it just a mishmash of numbers and letters? It’s more likely to be real if it’s coming from a business address as opposed to someone’s personal email or a random assortment of characters. Again, this isn’t dispositive, but is a good clue in addition to others. 
  • unexpected subject matter – is this an invoice or bill for something you haven’t done? If, for example, you’re getting an alleged hospital bill, but you haven’t been in a hospital in years, then it might not be legitimate.

Unfortunately, there’s no single piece of information or definite rules you can look to in order to tell if something’s legitimate or not. Use your best tool to figure it out: your personal judgment. If it looks suspicious, call the organization that is purportedly sending you the document. The person on the phone will confirm if it’s real or not. 

Another way to protect yourself is to have antivirus/antimalware software installed on your computer. If you’re using a Windows computer, Microsoft Defender is free, included with your Windows install, and one of the best options on the market. Defender, plus smart usage practices, will defend against most virus threats to your computer. 

Apple and Android devices are a little different. Those operating systems sandbox every application, meaning that every application operates in an independent session from each other and the underlying operating system. Outside of specific permissions, information isn’t shared, and applications cannot modify the underlying operating system.

There are antivirus/antimalware solutions for those devices. Whether or not general consumers need them is debatable. In any event, smart usage practices go a long way to keeping your device safe. 

Conclusion

PDF files can have viruses. In fact, it’s a very common modality of transmission for computer viruses. If you use PDFs intelligently and make sure you only open PDFs that come from known and trusted senders, then the likelihood of you opening a malicious PDF decreases substantially. If you don’t know whether or not to trust a sender, contact them and verify the legitimacy of the document.

What are your thoughts about embedded viruses? Do you have a story about a PDF-delivered virus? Share your experience below.