Shellax Guide
How to Check If a PDF Is Safe Before Opening It
A PDF can look harmless and still contain risky behavior. Attackers sometimes hide JavaScript, auto-open actions, launch triggers, embedded files, or social engineering text inside a document that appears routine. A quick review process can reduce the chance of opening something dangerous.
1. Start with the source
If the file arrived unexpectedly, came from a spoofed sender, or uses urgent language, treat it with caution before you inspect the contents. The file itself may be dangerous, but the delivery context is often the first warning sign.
2. Look for auto-actions and script clues
Risky PDFs often include markers such as /JavaScript, /JS, /OpenAction, /AA, or /Launch. Those do not automatically prove malware, but they are important signals that the document may attempt to trigger behavior when opened.
3. Check for embedded files
Some PDF attacks hide additional content inside the document, including scripts, archives, or executables. If a PDF contains suspicious embedded filenames or unexpectedly binary-heavy content, it deserves deeper review.
4. Use layered scanning
Static inspection is useful, but it should be paired with background verification when possible. Document structure analysis and secondary checks each catch different parts of the risk surface. The strongest workflow combines multiple signals instead of relying on one verdict alone.
5. Decide what to do next
If a PDF shows script behavior, suspicious actions, or direct detections during background verification, quarantine it and review it in an isolated workflow. If it appears clean, that still does not guarantee safety, but it lowers the immediate risk and helps prioritize further review.
Related tools and guides
For a direct scan, use the PDF malware scan. If you review mixed attachments, the document security scanner and document security checklist give a broader workflow.