1

I've received an email which is an obvious phishing attempt. However, a .pdf has been attached which I want to open, just out of curiosity!

What are the risks in downloading .pdf files from unknown sources? Can .pdf's be harmful to my phone or computer, or is it just an attempt to look like it's come from a legitimate source?

trashpanda
  • 111
  • 1
  • 6
  • 3
    Yes, PDFs can be very very harmful (one of the most common places to embed a virus). But are you asking if there is danger in downloading but not opening, or downloading *and* opening? – schroeder Mar 13 '18 at 17:59
  • 1
    Related but perhaps not a duplicate: https://security.stackexchange.com/questions/64052/can-a-pdf-file-contain-a-virus – IllusiveBrian Mar 13 '18 at 18:00
  • @schroeder, I'm not sure. What about just opening the file, without downloading it? – trashpanda Mar 13 '18 at 19:42
  • I am concerned that you have not been exposed to very basic security awareness and phishing basics. Do you have a deeper question that I am not seeing? – schroeder Mar 13 '18 at 19:52
  • @schroeder Nope, I just had no idea .pdf's could be harmful until today - I'd always thought they were just static documents... but that's why I'm asking, I suppose :) Thank you – trashpanda Mar 13 '18 at 20:34
  • 1
    Any attachment can be a vector for infection. That is why the main advice has always been to ***never*** open an attachment from a source that you do not know or cannot verify. Some organisations strip all attachments that are in inbound emails. – schroeder Mar 13 '18 at 20:47

1 Answers1

2

Check out this thread on superuser, which explains how PDFs can do damage:

PDF files are both complex (so easy to have bugs in parsing code that can be used for malware) and have Javascript, which can be used for nefarious purposes as well.

A PDF exploit is one way in which these file types can be dangerous:

Earlier this month, Belgian researcher Didier Stevens demonstrated how malicious PDFs could use a standard feature of the PDF specification to run attack code hidden in the file; he also demonstrated a way to modify an Adobe Reader warning message in order to further trick users into opening such documents.

If I recall correctly, and a post in the Stack Overflow thread "Safely opening .txt files" supports my recollection, the only safe file type is .txt, but I could be mistaken.

  • 3
    The vulnerability is not the format itself but rather the software with which you open the file. If you open a .txt file with notepad and notepad has a vulnerability, then yes, it can be harmful as well. – Xavier59 Mar 14 '18 at 03:20
  • 1
    With the advent of Unicode even .txt files are not always safe; check the recent exploits of Apple systems by some emojis. – Martin Schröder Mar 14 '18 at 09:11