Technical Articles

Review Cloudmersive's technical library.

Don't Get Caught Off Guard: Understanding Malicious PDF Uploads
4/30/2025 - Brian O'Neill


The Trusted Document That Shouldn’t Be

PDFs are everywhere—employment contracts, tax forms, boarding passes, invoices. This ubiquitous format was designed to be platform-independent, provide better content security than the more fungible formats offered in MS Office and LibreOffice suites, and maintain a consistent display across devices. Over time, it’s become the standard digital format for business-critical communication.

Unfortunately, however, it’s not all sunshine and roses: PDFs can be weaponized to devastating effect against our enterprise network. Bad actors have learned to manipulate the PDF standard in subtle ways, turning innocent looking forms or reports into launchpads for malware, data theft, or system compromise.
If your enterprise applications accept PDF uploads - which they almost certainly do – you're already in the blast radius.

malicious link concept

How PDFs Become a Weapon

One of the great things about PDFs is how simple they seem to the average user. They’re easy to open, read, scroll through, zoom in on, and follow links from. Under the hood, though, they’re very complex, and that complexity opens the door to exploitation.

Attackers most often abuse PDF documents in the following ways:

  • Embedded JavaScript: It’s easy to forget that PDFs are designed to be opened and viewed in web browsers – and that means they can execute JavaScript code. With insecure scripts running through our browser, we can fall victim to forced malware downloads, data theft (e.g., stolen clipboard data), or even keyloggers.

  • Malicious file attachments: Complex file structures like PDF can carry other complex files inside them. For example, a PDF can carry executables (.EXE on Windows), .DOCX (MS Word), and .ZIP archives – all of which can be unpacked and executed after the malicious PDF is uploaded through a client-side portal.

  • Exploit triggers: Sometimes, malicious PDFs aren’t targeting any kind of user interaction at all. Instead, they’re engineered to trigger vulnerabilities in the PDF reader applications which open and access their contents programmatically. If PDF readers aren’t patched to fix software vulnerabilities, motivated threat actors can take advantage and crash our applications from the inside.

  • Actionable links and form events: PDFs can carry links that lead directly to malicious servers or trigger some hidden actions in the background of the document. Seemingly innocuous prompts – like “Click here to sign”, for example – can trigger a malicious payload.

  • Social engineering within the PDF: Sometimes, the PDF itself doesn’t have any direct malicious links or executable content. They can be designed to look exactly like legitimate bank statements or invoices, attempting to trick us into taking risky next steps outside the document itself. In such cases, it’s up to us to think carefully about whether we can trust the file in question – the signs are usually there if we look closely enough.

Malicious PDFs have a habit of passing through traditional antivirus (AV) and other weakly configured security filters because they tend to look visually identical to clean ones. Obfuscating malicious content in a complex file structure like PDF is relatively straightforward, and the more sophisticated the attacker is, the less likely it is that we’ll notice the specific irregularity hidden within the document.

Attacks in the Wild

PDFs have been used as phishing bait in more high-profile attack campaigns than we can (or really need to) count. A common, everyday scam we might find in our Email spam folder involves a PDF attachment claiming to be a fake invoice or delivery notice, often with embedded JavaScript lurking inside. This script might immediately trigger a credential-stealing site or install remote access trojans (RATs) once the document is opened, or when a specific link within the document is followed.

To offer a slightly more specific, recent example: in 2023, several healthcare and law firms were targeted by malware-laced PDF resumes uploaded via job application portals. Once the PDFs were opened by unsuspecting HR teams, they installed keyloggers in the background and exfiltrated sensitive internal data. There weren’t any macros or visible triggers whatsoever – just invisible automation baked into the document.

clicking on malicious embedded link concept

Why Signature Scanning Falls Short

Many standard antivirus tools rely too heavily on signature detection – a process which entails comparing file contents to a database of known malware fingerprints. Signature detection has its place in the modern content threat detection landscape, but it’s far too simple of a policy to bypass on its own. Modern attackers are capable of evading signature detection with obfuscated scripts, randomized payloads, and other disguised behaviors that signature databases don’t have the right answers for.

Making matters worse, some PDFs these days are designed to exploit zero-day vulnerabilities in the very tools that scan them. Without some deep content verification or behavior-based inspection, there’s simply no way to trust a PDF upload at face value.

Intelligent Defense with Cloudmersive Advanced Virus Scanning

Cloudmersive’s Advanced Virus Scan API goes far beyond traditional AV checks. For PDF files, it performs embedded script detection, subfile threat detection (unpacking embedded files within the PDF and investigating their contents independently), object-level analysis, malformed content analysis (ensuring the PDF adheres to strict formatting standards), and traditional signature-based virus and malware detection.

safe computer concept

This Advanced Scan iteration also lets you configure custom threat rules, which means you can block (or allow) PDFs with specific types of content (e.g., attachments, scripts) outright, or simply quarantine suspicious files for further review.

Final Thoughts

PDFs have a reputation for being safe, familiar, and non-threatening, largely driven by the frequency with which we create or open them for day-to-day work. That’s exactly what makes them dangerous in the hands of attackers.

If your organization accepts PDF uploads, proactive scanning isn’t a nice-to-have—it’s essential. If you’d like to learn more about defending against malicious PDF documents with Cloudmersive, please feel free to contact a member of our team.

800 free API calls/month, with no expiration

Get started now! or Sign in with Google

Questions? We'll be your guide.

Contact Sales