Why You Should Never Open a PDF File from an Unknown Source

PDF files can also be malicious. In many ways. Beware if you get any on your device.

We all receive spam via SMS. Lots of spam. Most are immediately recognizable: the original number is unfamiliar, and the message is rarely in doubt. Lately, a new kind of spam seems to be spreading. This usually comes via email rather than a phone number, with blank text and a PDF attached. Whoever is behind these spam messages wants recipients to open said PDF and follow any links in the file.

Beware of Malicious PDF Files

If you receive this message, do not open the PDF file. It is not worth it. These practices are well known. Microsoft recently patched one such vulnerability (Follina) that allowed an attacker to execute PowerShell commands after a user opened a corrupted Microsoft Office file. Yes, it is possible to attack a user’s device with a harmless-looking file.

It is impossible to imagine a similar scenario with a malicious PDF sent via SMS. If someone discovers a vulnerability in iOS or Android, they can develop malware that can harm your smartphone. Again, there are no reports of such schemes or hackers using PDF, but it’s better to be safe than sorry.

Therefore, it is recommended: do not open the PDF. If you did, the PDF is most likely full of spam texts to nudge you one way or the other. And inevitably there will be a link to go. NOT.

As with all scam links, there is no way to tell where they will take you or what will happen to your device or data while you are there. Again, following a link can take actions against your will. More often than not, however, these links lead to fake sites designed to mimic completely legitimate sites and trick you into downloading malware or entering simple personal details. Of course, don’t do any of this.

What to do if you receive a spam PDF

The next time a PDF like this appears in your messages, here’s what you should do. Normally you should report the message to your operator, but since it is a PDF file, you will not be able to transfer the document. Instead, provide the email address twice: the operator will look for the message itself on the first message, you will need to send the email address the second time.

These systems are not designed to handle non-SMS spam, but this workaround is still better than nothing. By reporting an email address, you will be participating in the removal of it from senders, which, of course, is a small drop in the ocean of spammers, but it is important.