PDF Malware: How Educational Institutions Can Prevent Infection Spreading

Since 2020, there has been a sharp rise in the number of cyberattacks targeting educational institutions. And PDF malware is one of the most common attack vectors.  

Through my work at Heimdal, I regularly speak with staff at universities, schools, and other educational institutions. While IT professionals are usually aware of the risks posed by infected PDFs, many other users – from teachers to administrators to students – often fail to understand the threat.  

So, I wanted to share some of my insights into: 

• Why criminals are targeting the education sector with malicious PDF files 

• How they use PDF files to attack these institutions 

• How you can minimize the risk of PDF malware 

PDFs are widely used at educational institutions 

PDF files are easily one of the most used file formats at educational institutions. From academics sharing peer-reviewed papers, grant application forms, to CVs or invoices, they are used for all kinds of purposes.  

PDFs are popular for many reasons: 

• Accessible: The content of PDF files can be viewed on practically any device, meaning almost anyone can access them.  

• Easy to use: You can easily view PDFs – most browsers, PDF readers, and, of course, Adobe Reader, let you view (and sometimes edit) PDFs for free.  

• Trusted: PDFs are generally perceived as a safe document format (indeed, most institutions recommend using them – this is just one example from a US college). 

Cybercriminals often use PDFs to spread malware 

Unfortunately, cyber criminals are increasingly using infected PDFs to attack educational institutions. 

Take the example of Lumma Stealer, a powerful malware that steals information such as passwords and browser data. In early 2025, cybersecurity investigators reported that malicious actors were specifically targeting educational institutions by distributing the malware disguised as PDF documents.  

Why are malicious actors using PDF malware? 

Cyber criminals are turning to infected PDFs for a simple reason – they work. Malicious PDF files are typically used in phishing campaigns, where criminals pose either as colleagues or external partners. They may send infected PDFs as email attachments or as online documents to be downloaded from web pages that appear legitimate.  

Using PDFs as an attack vector is appealing to criminals because: 

• They’re trusted: PDFs have been around for decades. People tend to trust a file format they know well. They are simply more likely to open or download a document that ends with “.PDF” than a file with an unusual looking name.  

• Low awareness: Compared to Word/Excel files, many people are unaware that PDFs can contain malicious code.  

• Underestimated capabilities: When they open a PDF document, most people simply see read-only text. However, PDFs are actually very powerful files that can contain scripting language, embedded videos, links and forms. When you open an infected PDF, it can automatically trigger actions that execute malicious code on your device. Here’s a very nice example of how powerful a PDF can be. Developers showed that you can play Tetris or even Doom inside of a PDF. You open the PDF and the PDF contains the code to play that game. You can actually play Tetris in a PDF document. 

• Platform agnostic: PDFs were designed to run on practically any operating system and device type. This means infected files have a far wider attack surface than, say, a .exe file that can only run on Windows.  

Why are criminals targeting educational institutions 

Schools and colleges can be a highly attractive target to cyber criminals for a number of reasons: 

• Sensitive data: All educational institutions hold tons of valuable data, including student personal information, exam results, financial information, research data, intellectual property and more.  

• Limited protections: Institutions often have limited resources to protect themselves. 

• Difficult to monitor: Most educational institutions have a high turnover of user accounts, and many users (both students and employees) with limited cybersecurity awareness. 

• Information flow: These organisations have high levels of external communication with students, parents, local authorities, businesses and other educational institutions, which makes it harder to spot suspicious activity. 

• Openness: Most higher education institutions are intentionally open. Researchers’ email addresses are easy to find on public profile pages. These organisations encourage employees to engage with external partners (be that the media, government, industry or civil society), so staff may be less suspicious of emails from external parties than employees in other kinds of organisations.   

 Related: Higher education institutions are increasingly a ransomware target 

How do PDF-based malware attacks work?  

There are several methods that criminals use to infect their victims’ devices through malicious PDF files. But the process usually works as follows.  

1. PDF file weaponization

Cyber criminals weaponize PDFs in many ways. Some of the most common I’ve seen are:  

Exploiting PDF reader vulnerabilities

Criminals can embed JavaScript code inside a PDF which will exploit vulnerabilities in different types of PDF readers. If a criminal has discovered a zero-day in, say, the Foxit PDF reader, they can distribute PDFs containing JavaScript and execute when you open the file in that reader. 

I’ve seen malicious PDFs that had a full tree of decisions. They could detect the platform they were running on, then select, based on that, the zero-day they wanted to exploit. So, one PDF could be created and fine-tuned for Chrome Edge and Adobe Reader. Other readers might not be impacted. Hackers can be very granular.  

Buffer overflow exploits

Criminals can use buffer overflow exploits in PDF files. One approach is to include large headers or footers which opens too many files at once. This triggers the buffer overflow and allows the attacker’s code to spread into end user devices.  

Embedded objects

PDF files allow you to embed various rich media objects like videos, MP3 files or forms. Hackers can manipulate these files to execute code when recipients click on them. These embedded files are particularly dangerous, as traditional antiviruses may not recognise the code as malicious.  

Example: you can manipulate video files to execute code. Now, you embed a video file that is then doing the attack. So, the PDF is only the mule carrying the malware into the system. That’s why AVs don’t recognize it – it’s embedded. It looks like there’s nothing malicious about it. Then you press “play” on the video and the attack happens. 

Insertion of phishing links

Criminals may also insert links to malicious websites into PDFs. Users may be invited to click on these links and unwittingly download files or share login details. 

2. Delivery of the infected PDFs

Once the criminals have weaponized the PDF, they need to deliver it to their victims. The most common method is simply to send the PDF as an email attachment. There are countless social engineering techniques that criminals use. Examples include: 

• Prospective CVs from fictional researchers or students 

• Fake grant application forms 

• ‘Urgent’ invoices from suppliers 

• False media enquiries 

• Phony offers of financial support 

Dedicated attackers will often do thorough background research using platforms like LinkedIn, institution websites, or researchers’ personal social media and tailor their messages to their victims.  

3. Execution, exfiltration and persistence

Once malicious PDF files have been opened or downloaded, the code will run. Depending on the purpose of the malware, it may: 

• lock users out of their accounts 

• steal sensitive data 

• exfiltrate information 

• move laterally within the network and spread to other devices or accounts 

Read more: Warning signs you’ve been infected with malware 

How can the education sector minimise the PDF malware risk? 

If you are responsible for IT or cybersecurity at a school, college or university, I’d really encourage you to spread awareness about PDF malware among your colleagues, students and other end users.  

Training people about the risks associated with PDFs should be the cornerstone of managing this type of threat – feel free to share this blog with your users as a start.  

But besides making people aware of the possibility of infected PDFs, I’d advise using a robust, multi-layered approach to security that is more likely to catch PDF malware.  

The following security techniques work for most educational institutions:  

• Advanced email filtering: Sandbox scanning and multi-engine antivirus detection that can support phishing detection. The AV engines should analyze the macros and either quarantine them or tag them as dangerous. 

• DNS-based protection: Block access to malicious domains the moment a user clicks on it. Best DNS filtering tools can predict if a domain is malicious even if it wasn’t yet blacklisted.  

• Endpoint Detection & Response (EDR): Catch behavioral anomalies even if PDF malware gets through your first lines of defence. 

• Application Control:

– Restrict what PDF readers can execute. 

– Prevent external network communication from PDF processes. 

• Privileged Access Management: Remove unnecessary admin rights and implement Zero Trust policies so malicious actors are prevented from moving laterally. 
• Automatic patch management: Roll out patches to all apps used on your network (including to PDF readers), which can reduce your risk of zero-day exploits.  

Heimdal helps you tackle PDF malware 

There are many ways that criminals can use infected PDFs to attack educational institutions – and they are continually developing new techniques to get around traditional defences.  

And this is why Heimdal’s approach is so valuable. We have developed a unified cybersecurity platform which gives you access to a wide range of security tools, enabling true defence in depth. Rather than offering a single point solution to try and defend against PDF malware, Heimdal gives you multiple tools that work together to tackle most kinds of attack.  

So, even if a hacker has used sophisticated code obfuscation techniques to get past the first layer of email filtering, subsequent security layers can still identify the attack – and stop it from developing further.  

I really believe that our defence in depth approach can help education institutions protect themselves better against threats like PDF malware. And we’ve worked with multiple education providers around the world to implement the most advanced techniques – read how we helped US School Administrative Unit 67 in New Hampshire enhance their defences.   

Contact us today for a demo, and see how Heimdal can help protect your university, school or further education college.  

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube.

Robertino Matausch

Robertino Matausch brings over three decades of experience in cybersecurity. He worked with renowned organizations such as the World Economic Forum (WEF), Formula 1 teams (BMW.Williams.F1, Toro Rosso, Red Bull, FIA), HP, Microsoft, BMW, and AUDI. He has extensive experience in information security, particularly in areas such as penetration testing, intrusion detection, incident response, digital forensics, cryptography, and biometrics. Robertino combines technical depth with storytelling flair to make complex cybersecurity topics accessible and engaging. In Heimdal's team, he is Global Head of Pre-Sales Engineering.