惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Microsoft Azure Blog
Microsoft Azure Blog
Google Online Security Blog
Google Online Security Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Simon Willison's Weblog
Simon Willison's Weblog
T
Threat Research - Cisco Blogs
C
CXSECURITY Database RSS Feed - CXSecurity.com
L
Lohrmann on Cybersecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Forbes - Security
Forbes - Security
P
Palo Alto Networks Blog
Schneier on Security
Schneier on Security
S
Schneier on Security
T
Tor Project blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
WordPress大学
WordPress大学
The Hacker News
The Hacker News
Hacker News - Newest:
Hacker News - Newest: "LLM"
罗磊的独立博客
Application and Cybersecurity Blog
Application and Cybersecurity Blog
F
Fortinet All Blogs
博客园 - 三生石上(FineUI控件)
小众软件
小众软件
C
Check Point Blog
Stack Overflow Blog
Stack Overflow Blog
Blog — PlanetScale
Blog — PlanetScale
雷峰网
雷峰网
S
Security @ Cisco Blogs
PCI Perspectives
PCI Perspectives
Spread Privacy
Spread Privacy
W
WeLiveSecurity
SecWiki News
SecWiki News
A
About on SuperTechFans
H
Help Net Security
博客园 - 司徒正美
Recent Commits to openclaw:main
Recent Commits to openclaw:main
爱范儿
爱范儿
S
Securelist
M
MIT News - Artificial intelligence
云风的 BLOG
云风的 BLOG
月光博客
月光博客
Jina AI
Jina AI
博客园 - 叶小钗
Vercel News
Vercel News
阮一峰的网络日志
阮一峰的网络日志
Recent Announcements
Recent Announcements
S
Secure Thoughts
The Cloudflare Blog
美团技术团队
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More

WeLiveSecurity

Supply chain dependencies: Have you checked your blind spot? Recovery scammers hit you when you’re down: Here’s how to avoid a ‘second strike’ As breakout time accelerates, prevention-first cybersecurity takes center stage Digital assets after death: Managing risks to your loved one’s digital estate This month in security with Tony Anscombe – March 2026 edition RSAC 2026 wrap-up – Week in security with Tony Anscombe A cunning predator: How Silver Fox preys on Japanese firms this tax season Virtual machines, virtually everywhere – but not all protected Cloud workload security: Mind the gaps Move fast and save things: A quick guide to recovering a hacked account EDR killers explained: Beyond the drivers Face value: What it takes to fool facial recognition Cyber fallout from the Iran war: What to have on your radar Sednit reloaded: Back in the trenches What cybersecurity actually does for your business How SMBs use threat research and MDR to build a defensive edge Protecting education: How MDR can tip the balance in favor of schools This month in security with Tony Anscombe – February 2026 edition Mobile app permissions (still) matter more than you may think Faking it on the phone: How to tell if a voice call is AI or not PromptSpy ushers in the era of Android threats using GenAI Is Poshmark safe? How to buy and sell without getting scammed Is it OK to let your children post selfies online? Naming and shaming: How ransomware groups tighten the screws on victims Taxing times: Top IRS scams to look out for in 2026 OfferUp scammers are out in force: Here’s what you should know A slippery slope: Beware of Winter Olympics scams and other cyberthreats This month in security with Tony Anscombe – January 2026 edition DynoWiper update: Technical analysis and attribution Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan Drowning in spam or scam emails lately? Here’s why ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 Children and chatbots: What parents should know Common Apple Pay scams, and how to stay safe Old habits die hard: 2025’s most common passwords were as predictable as ever Why LinkedIn is a hunting ground for threat actors – and how to protect yourself Is it time for internet services to adopt identity verification? Your information is on the dark web. What happens next? Credential stuffing: What it is and how to protect yourself This month in security with Tony Anscombe – December 2025 edition A brush with online fraud: What are brushing scams and how do I stay safe? Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan ESET Threat Report H2 2025 Black Hat Europe 2025: Was that device designed to be on the internet at all? Black Hat Europe 2025: Reputation is currency – even in the ransomware economy Locks, SOCs and a cat in a box: What Schrödinger can teach us about cybersecurity Seeking symmetry during ATT&CK® season: How to harness today’s diverse analyst and tester landscape to paint a security masterpiece The biggest catch: How whaling attacks target top executives Phishing, privileges and passwords: Why identity is critical to improving cybersecurity posture MuddyWater: Snakes by the riverbank Oversharing is not caring: What’s at stake if your employees post too much online This month in security with Tony Anscombe – November 2025 edition What parents should know to protect their children from doxxing Influencers in the crosshairs: How cybercriminals are targeting content creators MDR is the answer – now, what’s the question? The OSINT playbook: Find your weak spots before attackers do PlushDaemon compromises network devices for adversary-in-the-middle attacks What if your romantic AI chatbot can’t keep a secret? Can password managers get hacked? Here’s what to know Why shadow AI could be your biggest security blind spot In memoriam: David Harley The who, where, and how of APT attacks in Q2 2025–Q3 2025 ESET APT Activity Report Q2 2025–Q3 2025 Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming How social engineering really works | Unlocked 403 cybersecurity podcast (S2E6) Ground zero: 5 things to do after discovering a cyberattack This month in security with Tony Anscombe – October 2025 edition Fraud prevention: How to help older family members avoid scams Cybersecurity Awareness Month 2025: When seeing isn't believing Recruitment red flags: Can you spot a spy posing as a job seeker? How MDR can give MSPs the edge in a competitive market Cybersecurity Awareness Month 2025: Cyber risk thrives in the shadows Gotta fly: Lazarus targets the UAV sector SnakeStealer: How it preys on personal data – and how to stay safe Cybersecurity Awareness Month 2025: Building resilience against ransomware Minecraft mods: When ‘hacking’ your game becomes a security risk IT service desks: The security blind spot that may put your business at risk Cybersecurity Awareness Month 2025: Why software patching matters more than ever AI-aided malvertising: How chatbots can help spread scams How Uber seems to know where you are – even with restricted location permissions Cybersecurity Awareness Month 2025: Passwords alone are not enough The case for cybersecurity: Why successful businesses are built on protection Manufacturing under fire: Strengthening cyber-defenses amid surging threats New spyware campaigns target privacy-conscious Android users in the UAE Cybersecurity Awareness Month 2025: Knowledge is power This month in security with Tony Anscombe – September 2025 edition Roblox executors: It’s all fun and games until someone gets hacked DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception Watch out for SVG files booby-trapped with malware Gamaredon X Turla collab Small business, big risk: How SMBs can fight back against ransomware HybridPetya: A Petya/NotPetya copycat comes with a twist Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass Are cybercriminals hacking your systems – or just logging in? Preventing business disruption and building cyber-resilience with MDR Under lock and key: Safeguarding business data with encryption GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes This month in security with Tony Anscombe – August 2025 edition Don’t let “back to school” become “back to bullying”
Beware of threats lurking in booby-trapped PDF files
Fabiana Ramírez Cuenca · 2025-10-06 · via WeLiveSecurity

Malware

Looks can be deceiving, so much so that the familiar icon could mask malware designed to steal your data and money.

06 Oct 2025  •  , 5 min. read

Beware of threats lurking in booby-trapped PDF files

PDF files have become a staple of our daily digital lives, both at work and at home. They work seamlessly across operating systems and devices, and they couldn’t be easier to create and share. Every day, countless PDF (Portable Document Format) files are exchanged across inboxes and messaging platforms, and chances are, you’ve opened one today without a second thought.

However, this all is also partly what makes PDFs the perfect disguise for all manner of threats. At first glance, PDF files seem about as benign as digital files get. To the naked eye, a malware-laced PDF or, indeed, another file type spreading under the guise of a PDF doesn’t necessarily look much different from an ordinary invoice, resume or government form.

Security researchers are seeing PDF files show up again and again as lures especially in mass social engineering campaigns, but also in APT group operations and even in sophisticated zero-day attacks. Recent ESET telemetry confirms that PDFs rank among the top file types abused in malicious campaigns.

Figure 1. Top malicious email attachment types
Figure 1. Top malicious email attachment types (source: ESET Threat Report H1 2025)

A wolf in sheep’s clothing

Booby-trapped PDFs typically arrive as email attachments or links in phishing messages that trick victims into taking action. As is common with social engineering campaigns, the lures are carefully crafted to spark emotion, such as urgency (think “final notice”), fear (“account suspended”) or curiosity (“test results available”). The end goal is to get you to lower your guard and using all manner of exhortations, such as “pay now” and “review immediately”, pressure you into opening a file or clicking a link.

The attack techniques vary and have over the years included:

  • Embedded scripts that run when the file opens, letting attackers launch various actions and deploy additional payloads. JavaScript in PDFs can perform legitimate tasks, such as creating interactive forms and automating processes, but it’s also abused to download or execute code.
  • Hidden or malicious links: Links contained in the PDF can redirect you to credential-harvesting pages or prompt you to download a malicious ZIP archive or executable.
  • Exploiting vulnerabilities in PDF readers: Malformed objects or specially crafted content can take advantage of bugs in vulnerable versions of common PDF readers and lead to code execution, as was the case with a software loophole affecting Adobe Reader and documented by ESET researchers.
  • Files that only pose as PDFs and are instead scripts, executables or even malicious Microsoft Office files, among others, but their true file extensions may be hidden. While you may see a file called “invoice.pdf”, clicking it actually launches an executable.

Speaking of which, earlier this year we wrote about a campaign that distributed the Grandoreiro banking trojan and started with an email urging the victim to open a document, ostensibly in PDF format. In reality, it’s a ZIP archive containing, among other things, a VBScript file that unleashes Grandoreiro on the device and ultimately gives criminals access to the victim’s banking credentials.

pdfs-malware-detectar-riesgo.afip
Figure 2. Phishing email impersonating an Argentinian government agency, complete with a link leading to what poses as a PDF file
pdfs-malware-detectar-riesgo
Figure 3. The site you’re taken to after clicking on the link in Figure 2

How to spot a suspicious PDF

So what are the red flags that should put you on high alert?

  1. The file has a misleading visible name or double extension. This is the case with names like invoice.pdf.exe or document.pdf.scr, especially where attackers cast their nets wide and intend to ensnare as many people as possible. These files actually aren’t PDFs at all – they are just dressed up to look like PDFs.
  2. The sender’s email address or name doesn’t match what the file says. The email sender’s address is different from the organization that the document claims to be from, or the domain is misspelled or suspicious.
  3. The PDF is compressed inside a ZIP or RAR archive. The PDF arrives inside a ZIP or RAR – that’s in a bid to circumvent detection by email filters.
  4. The entire message is unexpected or sounds “out of context”. Ask yourself: did I ask for this file? Do I know the sender? Does it make sense for them to send it to me?
3_HSBC_themed_lure.png
Figure 4. Fake job offer disguised as a PDF file (source: ESET Research)

What to do if you receive a suspicious PDF

If a PDF raises red flags, take these precautions:

  1. Resist the temptation to immediately download or open the file. The adage “when in doubt, kick it out” works here nicely.
  2. Verify the sender and context. Before opening the potentially sketchy attachment, contact the sender by a separate communication channel, such as a phone call, to check that they have really sent it.
  3. Check the file extension and size. Toggle “show file extensions” or similar in your operating system and confirm the file is a real .pdf (not an .exe, for example) and that the file size seems plausible.
  4. Scan the file with your security software (or alternatively, upload it to VirusTotal to get a quick first look).
  5. Open with care. If you absolutely must open it and have taken the other precautions, use an up-to-date PDF viewer with sandboxing or a protected view feature enabled (such as Adobe’s Protected View).

What to do if you suspect you’ve opened a sketchy PDF

  1. Disconnect from the internet to reduce the chance of data exfiltration or further payload downloads.
  2. Run a full computer scan with an updated security solution. If you don’t have any, run a one-time check as available courtesy of ESET’s free scanner.
  3. Check running processes and network connections for anomalies. If you’re not experienced, get a professional to investigate.
  4. Change passwords especially for your financial and other valuable accounts, particularly where you suspect your credentials may have been stolen – but do so from a device other than the one where you downloaded the PDF.
  5. Report the incident to your IT/security team (in case you opened the file on your work machine).

Parting thoughts

These tried-and-tested rules will go a long way towards keeping you safe from dodgy PDFs:

  • If you weren’t expecting the file, don’t open it, at least not without checking first that the file is legitimate.
  • Educate yourself on how to recognize phishing scams.
  • As many attacks rely on known software vulnerabilities, keep your operating system and all other software, including PDF readers, up-to-date.
  • Enable Protected View or sandbox mode in your PDF reader of choice and consider adjusting or disabling your JavaScript settings in it.
  • Use reputable, multi-layered security software on all your devices.

It’s safe to say that cybercriminals will continue to exploit the trust we place in PDFs. The use of PDFs for malicious ends is also a reminder that security threats typically don’t arrive wrapped in suspicious-looking files. The tried-and-true rule applies here, too: Treat every unexpected link and attachment with caution and rely on trusted tools to protect your data and devices.


Let us keep you
up to date

Sign up for our newsletters