Beware of PDF Malware
PDF files are one of the most common ways to share documents electronically. Introduced by Adobe in 1993 and now maintained as an open standard by the International Organization for Standardization (ISO), PDFs are widely used because they preserve formatting across devices and platforms. They support text, graphics, embedded fonts, and interactive forms, and can be viewed in over 50 different software packages—including most web browsers.
However, many people don’t realise that PDFs can also contain JavaScript, which opens the door to potential security risks.
Why PDFs Can Be Dangerous
In the past year, there’s been a significant increase in the use of malicious PDFs in phishing emails. Cyber-criminals like using PDFs because:
- They’re trusted—commonly sent by banks, telcos, and other reputable organisations.
- Many people don’t realise they can run code.
- They can be disguised to appear completely legitimate.
While JavaScript in PDFs is often used for harmless purposes—like validating form inputs or submitting form data—it can also be used maliciously. For example, a PDF might:
- Redirect users to a phishing website.
- Attempt to capture and send sensitive form data to a remote server.
- Exploit vulnerabilities in outdated or unsecure PDF viewers.
Although most modern PDF readers are sandboxed (restricting their ability to access system files) and will ask permission before running code, not all do. It's safer NOT to run the code. There are many different PDF viewers available, and not all follow best security practices. In fact, attackers could even distribute their own viewer designed specifically to bypass protections.
How to Stay Safe
To reduce your risk of PDF-based malware:
- Disable JavaScript in your PDF viewer settings (if supported).
- Use a PDF viewer that doesn’t support JavaScript at all for safer reading.
- Be cautious with email attachments—especially from unknown or unexpected sources.
- Keep your antivirus and malware protection software up to date. Note that while these tools are important, they may not detect malicious PDFs that use custom code, as many scanners rely on pattern-matching (signatures) rather than behaviour.
When Is JavaScript in PDFs Legitimate?
There are valid use cases for JavaScript in PDFs, especially in interactive PDF forms. These forms can perform actions like:
- Updating fields based on user input
- Resetting form values
- Submitting data to a remote server
However, these capabilities also introduce risk, especially if users are unaware of the form’s true purpose or destination.
A Safer Alternative: Formlify
If you need to collect information through interactive forms, a much safer solution is to use a purpose-built online form platform like Formlify. Unlike PDF forms, Formlify:
- Runs entirely within your web browser
- Does not rely on local code execution or third-party viewers
- Keeps data securely within the Formlify system
- Offers features like conditional logic, calculations, and file uploads
Formlify is built and maintained by CIBIS, an ISO/IEC 27001 certified Australian software developer with a strong focus on data security and compliance.