The popularity of documents in this format has made them PDF in a recurring attack path against companies and users, whether through email or seemingly legitimate web downloads.
Its great compatibility and flexibility play in favor of the attacker: a PDF can include links, forms, scripts, and embedded files capable of triggering downloads, executing code or capturing sensitive information without raising suspicion.
What's behind the rise of malicious PDFs?
The trust these files inspire makes it easier for them to pass filters and quick reviews: They look like ordinary documents (invoices, bank communications or official notices) and open with a click.
Cybersecurity firms such as ESET confirm that Malicious PDFs are among the most common detections in email campaigns, placing them in prominent positions in the global threat ranking.
In an operation investigated by experts, a PDF file pretending to come from a public administration included a link designed to Download the Grandoreiro banking Trojan, aimed at stealing financial credentials.
Techniques that take advantage of automatic commands in the document have also been observed: for example, a PDF with a OpenAction that launches an embedded Office file and exploits known flaws such as CVE-2017-11882 on outdated equipment.
The phenomenon is not a one-off. Various reports on the threat landscape indicate that PDF phishing attacks have grown significantly, driven by their familiar appearance and high open rate.
How to identify them and what risks they entail
Before opening an attachment or a downloaded file, it is advisable to check for clear signs of fraud: a minimal check significantly reduces the probability of falling for it. Malicious PDFs that install malware or steal data.
- Suspicious links: hyperlinks that lead to unknown, unsafe sites or sites with strange domains.
- Permit applications or unusual functions: activation of JavaScript, macros or external downloads without justification.
- Striking errors: poorly written texts, atypical fonts or sloppy design.
- Atypical sizes: files that are too small for the promised content or, on the contrary, excessively heavy.
- Name and extension: tricks like “documento.pdf.exe” or generic titles like “Invoice.pdf”.
- Compressed files: PDF inside ZIP or RAR, a common practice to evade filters.
- Doubtful sender: addresses that do not match the supposedly sending entity or unexpected messages.
The dangers do not end with a simple virus: a manipulated PDF can execute high-impact actions with little or no user intervention.
- Downloading/installing malware: from Trojans and spyware to ransomware, launched in the background.
- Information theft: Capture credentials, personal data or financial information and send it to the attacker's servers.
- Vulnerability Exploitation: Exploiting flaws in popular readers (e.g., Adobe Acrobat or Foxit) to execute remote code.
- Targeted attacks: documents tailored to the target company's infrastructure to maximize damage.
Vulnerabilities and protection measures
Researchers have warned of a critical weakness in the document analysis ecosystem: a XXE vulnerability in the Apache Tika PDF module (CVE-2025-54988) exploitable through XFA forms embedded in PDFs.
The affected versions (1.13 to 3.2.1) may allow an attacker to cause local file reading, network reconnaissance and SSRF If the system analyzes a malicious PDF, with little user interaction.
Since Tika integrates with multiple components (standard parsers, applications, and servers), its reach in corporate environments is considerable. immediate update to version 3.2.2 It is the priority measure to close this avenue of attack.
In addition to the patch, it is recommended validate PDF uploads in applications, segment networks to limit impacts, and monitor suspicious events associated with XML processing.
Beyond this specific warning, it is important to internalize good practices: analyzes in VirusTotal suspicious files, enable system extensions view to check the real type, be wary of compressed attachments and keep PDF readers and updated systems.
If you have already opened a suspicious document, disconnect from the Internet, perform a scan with antimalware, review processes and persistence, change sensitive passwords and, if appropriate, consult with professionals.
The combination of prudent habits, technical measures, and timely updates is what makes the difference: Detect early signals, apply critical patches, and verify the source of each PDF drastically reduces the attack surface and keeps your data safe.