Eight PDF Files You Don’t Want to Open


One of the largest sources of malware infections is PDF files with scripts buried in them. The embedded JavaScripts have instructions to download and install various types of malware. The Adobe Reader and Adobe Acrobat are the major targets for this kind of attack. Although Adobe seems to issue an unending stream of updates, many PC users still get infected. Here is a tip to help avoid malicious PDF files.

From their antimalware products, Microsoft gathers data about the source of malware infections. The Microsoft MSDN blog has just given a list of common infected PDF files that have been detected. I suspect that many readers of Gizmo’s have scripting disabled in their PDF reader but to be on the safe side here is the list from Microsoft. If you see any of the eight files below, do not open them but delete them permanently.  

  • pdf_new[1].pdf
  • auhtjseubpazbo5[1].pdf
  • avjudtcobzimxnj2[1].pdf
  • pricelist[1].pdf
  • couple_saying_lucky[1].pdf
  • 5661f[1].pdf 7927
  • 9fbe0[1].pdf 7065
  • pdf_old[1].pdf

An article describing how to disable JavaScript in the most common free PDF readers is at this link.

Get your own favorite tip published! Know a neat tech tip or trick? Then why not have it published here and receive full credit? Click here to tell us your tip.

This tips section is maintained by Vic Laurie. Vic runs several websites with Windows how-to's, guides, and tutorials, including a site for learning about Windows and the Internet and another with Windows 7 tips.

Click here for more items like this. Better still, get Tech Tips delivered via your RSS feeder or alternatively, have the RSS feed sent as email direct to your in-box.

Please rate this article: 

Your rating: None
Average: 3.9 (41 votes)


Because of interest, I am now writing a tip on how to disable JavaScript in all the popular free PDF readers.
The right-click “scan with” Dr. Web browser addon is a good way to check file links before you download them. https://chrome.google.com/webstore/detail/drweb-anti-virus-link-che/aleg... https://addons.mozilla.org/en-US/firefox/addon/drweb-anti-virus-link-che... The following screenshots show examples of a clean and a suspicious result. The file producing the suspicious result was even zipped so this is a useful tool. http://imageshack.us/a/img163/2746/drweb1.png http://imageshack.us/a/img27/2420/drweb2.png This last screenshots show confirmation of the infected file scanned after download but before opening! I was using Linux Mint 14 KDE at the time so this was scanned using Comodo AV for Linux. http://imageshack.us/a/img545/9198/comodo3.png http://imageshack.us/a/img41/9506/comodoy.png

As far as I know Sumatra doesn't do JavaScript.

Or at least there's no reference to it that I can see in Sumatra's docs or options.

What about embedded PDF readers in browsers? Same story?

Browser plug-ins and add-ons can have similar vulnerabilities.

Thanks for the article. I did not realize that PDFs were vulnerable to this type of attack and thought them to be fairly safe to open, even if you didn't know the sender (sometimes I'm just curious to what the spammers are sending these days).

What about using alternative PDF readers, such as Nitro, Foxit, Sumatra, etc? Are they as vulnerable as Adobe Reader?

Because its software is very widely used, Adobe is a particular target for hackers but any reader can have a security flaw. Alternate readers (http://www.techsupportalert.com/best-free-non-adobe-pdf-reader.htm) are probably attacked less often but I would disable JavaScript on any reader unless I specifically needed it. As one commenter suggests, taking precautions before opening any PDF is always called for.

Thanks, Vic, and thanks for all your good work here on Gizmo's site!
I have disabled Javascript in all my PDF readers.

Moral of the story: don't run Windows.

It seems to me the issue is with PDF files, not the application you open the files with. What ever happened to the old adage that if you don't know the sender / aren't expecting a specific download, you leave well enough alone, i.e., you don't open unsolicited attachments or files?

I certainly don't open them - its the circular file for them. Worse case is that someone you know has to resend an email to you. Far better that than an infection!

Agree with pdf's sent via email, BearPup. My concern would be opening an email from a website, say, 'pricelist.pdf' as mentioned above. The others look suspicious from the get-go.

I wondered the same thing (about other PDF readers) and decided that I'd disable scripting in everything, since most of them would also run scripts that are embedded in a PDF document.

Turning off scripting in Adobe Reader:
From the menu, select Edit, then Preferences, then JavaScript. Then unclick Enable JavaScript.

Until Oracle can come up with a method of defeating all such problems, I've shut off JavaScript in everything that uses it.

@ gruff,
icbw but, i was under the impression that oracle didn't have anything to do with "javascript", they are the "java development platform" owners, the much-exploited browser plug-in, (and pc s/ware) that used to belong to sun microsystems. that being said, oracle was attempting to get the 'java' platform to run in a 'javascript'. i'm not sure how that turned out though.

michael clyde

Thank you. I searched adobe help, but couldn't find out how to do that.

Is this just a problem with Adobe or with PDF-Xchange and others as well? If only Adobe, would be nice to mention Gizmo's 'non-Adobe pdf viewer' section.

I know this isn't a 'how to' article but a short explanation or link to how to disable scripting would have also been nice.

PDF-XChange Viewer: Edit> Preferences> JavaScript> untick Enable JavaScript Actions. HTH ;-)


I was wondering if you had any information on vulnerabilities associated with Foxit PDF reader.


Any PDF reader with JavaScript enabled might be vulnerable, There are also other possibilities. Several years ago Foxit had a stack overflow problem. Only read PDFs from known sources and scan them with your anti-malware software first.