Is it safe to open a PDF if I don't click anything?

Generally, yes, if your PDF reader is up to date. However, 'Zero Day' exploits can occasionally infect devices just by opening a file. If you don't recognize the sender, don't open the file.

Why do scammers send PDFs instead of links?

Email filters are very good at identifying bad links in text. By putting the link inside a PDF, scammers hope to hide it from the initial security scan.

How can I safely view a suspicious PDF?

Upload the file to a sandbox environment or use a 'View only' mode in a web browser like Chrome, which isolates the file better than a standalone desktop app.

Document Checker

Verify suspicious PDFs before you open them.

Scammers use PDF attachments to bypass email filters that normally catch malicious links. These documents often contain clickable buttons that lead to phishing sites or hidden scripts that can infect your device with malware.

Security Insight

PDF files are the most common file type used in enterprise phishing attacks. Because they appear 'professional' and 'static,' users are 3x more likely to open a suspicious PDF than a suspicious .exe or .zip file.

Detects hidden malicious scripts

Identifies fake 'Invoice' lures

Protects against drive-by downloads

Analyze a PDF Attachment Document Safety Guide

How to spot a Malicious PDF

A PDF file can be much more than just text and images. Watch out for these specific technical and behavioral signals before interacting with any unsolicited document.

The 'Password Protected' trick

Scammers use password-protected PDFs (and provide the password in the email body) to prevent email security scanners from reading the content.

The 'View Document' Button

Instead of real content, the PDF only contains a single large image or button that says 'Click here to view full document'—leading to a phishing site.

Unexpected 'Invoice' or 'Receipt'

Receiving a PDF for a high-value purchase you never made (like a $500 Norton subscription) to panic you into clicking a 'Refund' link.

Hidden JavaScript execution

Malicious PDFs can be engineered to execute code as soon as they are opened in vulnerable PDF readers like old versions of Adobe Acrobat.

What IsThisSpam checks before you trust a sender

Quick verdicts are useful, but the real value is understanding why something looks safe, uncertain, or risky.

Inconsistent File Metadata

The document claims to be an official invoice from 'Microsoft' but the author metadata shows a random name or a completely different company.

Suspicious Redirect Links

Links inside the PDF use URL shorteners (bit.ly) or point to domains that have nothing to do with the supposed sender.

Urgent 'Correction' required

The email claims the PDF contains an 'urgent correction' to your bank account or payroll that must be reviewed immediately.

Mismatched Branding

The PDF uses low-resolution logos, weird fonts, or colors that don't match the official brand identity of the company it's impersonating.

Related guides

Use the checker for the fast answer, then read the deeper guidance for recurring scam patterns.

Attachment Safety Checker

Broad guide for identifying dangerous files in your inbox.

Read the guide

Invoice Scam Checker

Learn how to spot fake billing and payment request documents.

Read the guide

FAQ

These are the questions people usually ask right before they click, reply, or pay.

Got a screenshot or attachment? Our AI can analyse it.

Free scan first, deeper analysis when you need it

Check the sender before you trust the message.

Start with a fast scan, then move to SuperScan when the message involves money, account access, or sensitive documents.

Analyze a PDF Attachment Document Safety Guide