Can PDFs contain viruses? What to do if you’ve opened a PDF scam

What is a PDF scam?

Cybercriminals are increasingly targeting victims with PDF phishing attacks that steal sensitive information or install malware without the victim’s knowledge. These attacks are perpetrated with innocuous-looking email attachments that contain a PDF virus. To ensure the success of their scams, attackers use various social engineering techniques to lull targets into a sense of complacency - such as impersonating legitimate organizations and using urgent language – so that they feel pressured to open the email and take the actions that will activate the PDF’s malicious payloads on their devices.

PDF phishing has become a popular choice for cyberattacks because these sorts of documents are used frequently, so victims are more inclined to open these documents because there’s an inherent trust. In addition, attackers can easily manipulate PDFs to insert malicious links, scripts, and executable files. As a result, these documents will often pass basic email antivirus checks.

The dynamic nature of the cybersecurity landscape means that there are always new threats – or evolutions of older ones – that users must stay vigilant about. PDF phishing is one example of this.

Can PDFs contain viruses?

The short answer is yes – PDFs can be infected with malicious payloads and sent out in a PDF phishing attack. Although these are normally harmless files, cybercriminals have taken advantage of the fact that PDFs are widely used in personal and professional settings and have figured out how to create different types of PDF viruses with malicious code and infect documents.

PDF scams can involve several different viruses that operate in various manners. Some may manipulate data or completely erase it from a device. Others, specifically Trojans, may gather data stored on a device and send it back to the perpetrator. Others, generally called malware, are more nefarious and can cause serious harm to the devices they infect.

How does a PDF phishing attack work?

Attackers normally use PDF email scams to initiate these types of attacks. In general, victims are targeted with emails that appear to be legitimate and from a reputable sender, like a bank, retailer, or government agency. The email will include a PDF document, which the recipient will be prompted to open. Once open, the PDF may lure the victim into sharing personal information – especially things like login credentials or bank details – or, in other cases, it may initiate malicious payloads that allow the attacker to skim these details, access the victim’s device, or render the device inoperable. In situations of PDF phishing, where the attacker steals the victim’s sensitive data, further crimes may be perpetrated, such as identity theft.

There are several different ways that PDF phishing attacks can occur. Some of the most popular are outlined below.

Form-based attacks

These are a common form of PDF phishing attacks. Usually, the victim receives a phishing email that contains the malicious PDF and will be prompted to enter personal data – such as login credentials – to fill out a form. That data is then stolen and sent to the attacker. The best way to avoid falling victim to these kinds of attacks is to exercise caution around suspicious emails and learn to recognize the signs of phishing.

Malicious scripts

Often, a PDF virus is directly embedded into a PDF file using malicious payloads or scripts. These scripts usually hide within a PDF document, masquerading as innocuous links or buttons. When a victim unsuspectingly clicks on these, the action initiates the attack. The malicious script exploits vulnerabilities in the PDF reader and gives the attacker access to the victim’s device, allowing them to steal sensitive information or install malware. Keeping PDF readers – and all software – up to date helps protect against these types of attacks.

Fake attachments

Another popular form of PDF phishing is fake attachments. These are usually sent to a victim in an email that appears to be legitimate. For example, the email may appear to be from a bank or well-known company, like Amazon, and prompt the recipient to download an attachment, which then installs malware on the device or steals personal data. These types of PDF email scams often employ social engineering techniques to appear legitimate and lure victims into a sense of security. For this reason, it’s crucial to treat unsolicited emails with caution and verify the sender’s identity.

Web-based PDF scams

An increasingly emergent threat, web-based PDF attacks involve tricking users into downloading malicious PDFs from the internet, often from a fraudulent site that impersonates a legitimate one. Once opened, the infected PDF prompts the user to enter sensitive information, which is then forwarded to the attacker. To avoid these scams, always download documents and software from legitimate websites after verifying their credentials.

Fake CAPTCHA Redirects

Another type of PDF phishing attack involves the use of fake CAPTCHA redirects. To carry out these attacks, the perpetrator uses a PDF file that uses CAPTCHA verification. However, when a user clicks on this, they’re redirected to a fake – and malicious – website or asked to enter personal information, like login credentials.

Static images that look like videos

In some cases, attackers trick unsuspecting victims into visiting malicious websites or downloading malware with manipulated images. In the infected PDF file, the attacker will place a static image overlaid with a play button. Victims believe the image is a video and click the play button to watch it but instead activate the malicious action. As such, users should stay vigilant when interacting with content in PDF files.

How to spot a PDF phishing attack

It can sometimes be tricky to spot PDF scams. Cybercriminals have become very adept at manipulating documents and creating sophisticated attacks so that they have a high chance of success. Still, there are certain things that users can look out for, as these can suggest the presence of a PDF virus.

One of the best ways to spot PDF email scams is to learn the common signs of phishing attacks and practice good online safety habits. These may include:

• Being wary of unsolicited emails, especially those from unknown senders.
• Checking sender details – such as email addresses and domains to ensure they use the correct formatting.
• Paying attention to bad grammar and spelling.
• Being suspicious of emails that have a sense of urgency – this is a common social engineering technique.
• Treating messages that ask for personal details – such as login credentials – with suspicion.
• Taking note of emails from reputable companies – like banks or online retailers like Amazon – asking for payment of logins.

Users who are more technically inclined may also choose to protect themselves by learning about common issues that may suggest the presence of a PDF virus. These can include malicious JavaScript codes, manipulated system commands, and embedded objects.

For full protection, Kaspersky Antivirus offers several features to defend against PDF phishing including:

1. Scan PDFs for malicious code and block it in real-time.
2. Block dangerous URLs embedded in PDFs.
3. Flag suspicious attachments in emails before you open them.

How to protect yourself against a PDF virus

The best way to avoid falling victim to a PDF virus is to adopt a series of well-known universal best practices that enhance cybersecurity for internet users. Many of these are common sense tips that most users already know, but it’s easy to get comfortable and become less vigilant over time.

These are the expert-approved methods that will help you avoid PDF phishing:

• Never open or download unsolicited email attachments or text messages, especially from unknown senders.
• Always verify sender identity by checking names, email addresses, and other details for inconsistencies.
• Never click suspicious links, especially in unsolicited emails or text messages.
• Use a secure PDF reader that automatically scans documents.
• Disable JavaScript on PDF readers, as this is usually how malicious code is written into documents.
• Disable PDF readers from executing non-PDF files.
• Remove PDF readers from the list of automatic startup programs.
• Ensure macros are disabled.
• Watch for warnings about potentially malicious attachments from email service providers.
• Use an antivirus software and run scans regularly.
• Ensure all operating software and programs, including antivirus software and PDF readers, are up to date and running the latest security patches.
• Regularly backup devices.
• Encrypt any sensitive data stored on devices.
• Practice good password hygiene, including using strong passwords and changing them regularly – a password manager can help.
• Enable two-factor authentication where possible.
• Learn to recognize scam tactics such as requests for personal information, impersonating well-known brands, and bad spelling and grammar.
• Enable the safe browsing feature available on most internet browsers.

You opened a phishing PDF on your iPhone – what do you do next?

If you’ve accidentally opened a PDF containing malicious payloads on your phone or other electronic device, don’t panic. Instead, it’s essential to implement several steps as quickly as possible to try and mitigate any potential damage. Here’s what to do to avoid PDF fraud if you’ve inadvertently opened an infected document:

Immediately disconnect the device from the internet

This greatly reduces the opportunities for the PDF virus to spread to other electronic devices on the same network. It can also help protect any personal data stored on the device, as often, these viruses need an active internet connection to send information to the perpetrator or facilitate unauthorized remote access.

Scan the device with protective software

Regularly scanning device systems with antivirus software is a best practice for detecting, stopping, and removing any kind of malware, including a PDF virus. In the case of a PDF scam, though, running an antivirus scan should help detect and delete the virus as quickly as possible.

Back up data from the device

Although regularly backing up the information stored on a device is a good habit to maintain, it’s especially important to perform an extensive backup after suspected PDF email scams. This is because infected documents may initiate a PDF phishing attack that steals the data or completely erases the device’s hard drive. Having a backup, whether through external hard drives, cloud storage, or built-in software like Mac’s Time Machine, means users can quickly restore their device.

Update login credentials for sensitive accounts

In a PDF phishing attack, cybercriminals may gain access to online accounts stored on the compromised device, such as social media profiles or bank accounts. As such, it’s crucial that users who believe they may be dealing with a PDF scam immediately change their passwords – a good password manager can help create strong new ones. It’s usually a good idea to enable two-factor or multi-factor authentication on important accounts, but it’s especially important to use this to secure accounts after a potential scam.

Set a fraud alert

Personal details that could be exposed in a PDF scam could allow cybercriminals to perpetrate financial fraud or identity theft. To minimize the risk of this occurring after a potential PDF email scam, users may find it useful to set a fraud alert on their credit report, which can help stop these crimes from happening. It may also be wise to contact your bank or credit card company to alert them to the incident, so they stay vigilant to any suspicious activity.

Related Articles and Links:

• How to remove a virus from Android
• What are the different types of malware?
• Phishing Emails: How to Recognize and Avoid a Phishing Email

Related Products and Services:

• Kaspersky Password Manager
• Kaspersky Anti-Virus
• Download Kaspersky Premium Antivirus with 30-Day Free Trial
• Kaspersky Endpoint Security Cloud