> A pdf file

pdf files can be setup in a fillable manner(generally used for forms) meaning it has to use from form of executtion to both read and write into these files(usually javascript that CAN carrry malicious code).

as for word documents, microsoft word at least implements a form of scripting that is normally used to automate tasks inside the application and because its a microsoft product it has some interoperability with the windows OS.

when viewing then online, you are seeing them in protected mode which disables every script the file may have so nothing malicious can execute….unless you allow it to by opening the file for editing

aka: dont open microsoft office files you do not trust the soruce from.

> A pdf file

pdf files can be setup in a fillable manner(generally used for forms) meaning it has to use from form of executtion to both read and write into these files(usually javascript that CAN carrry malicious code).

as for word documents, microsoft word at least implements a form of scripting that is normally used to automate tasks inside the application and because its a microsoft product it has some interoperability with the windows OS.

when viewing then online, you are seeing them in protected mode which disables every script the file may have so nothing malicious can execute….unless you allow it to by opening the file for editing

aka: dont open microsoft office files you do not trust the soruce from.

> A pdf file

pdf files can be setup in a fillable manner(generally used for forms) meaning it has to use from form of executtion to both read and write into these files(usually javascript that CAN carrry malicious code).

as for word documents, microsoft word at least implements a form of scripting that is normally used to automate tasks inside the application and because its a microsoft product it has some interoperability with the windows OS.

when viewing then online, you are seeing them in protected mode which disables every script the file may have so nothing malicious can execute….unless you allow it to by opening the file for editing

aka: dont open microsoft office files you do not trust the soruce from.

Yes, PDF inside chrome is safe. The rendering library they use is very well tested and secure.

Windows hides file extensions by default (what a bad idea), so if you have a file called `virus.pdf.exe`, Explorer will display it as `virus.pdf` and hide the exe suffix. Exes can have icons inside them, so you can make the exe icon look like the PDF icon. Clicking on it will execute the program and possibly do something terrible to your PC.

There are tricks using a range of unicode features to hide the exe suffix as well.

MS Office documents (word, powerpoint, excel) can have programs hidden inside them (macros written in a variant of VB) which can be used to attack you. Again, this is a mostly terrible idea, but here we are. They are disabled by default for documents downloaded from the web, but people can be tricked into enabling them.

PDFs allow embedded javascript and this can be used to attack your PC if you view the PDF in an insecure program.

**tldr:** computers are very complex and have piles of mostly useless features accumulated over decades, many of which can be repurposed to make you miserable.

PDFs are not just pure documents. For example if they have a signable field it’s using macros that are stored as Javascript code.

This code can be malicious. So your Adobe Reader will run this script if you allow it to and this script can then do harm.

By default you will get a warning if you want to run this code, but plenty of people will just click accept.

You could create a PDF that doesn’t conform to the PDF standard. Your special PDF could exploit a bug in a PDF reader app. Maybe a bug that lets you run code or open a webpage without asking the user when it is fed a specially created file.

Yes, PDF inside chrome is safe. The rendering library they use is very well tested and secure.

Windows hides file extensions by default (what a bad idea), so if you have a file called `virus.pdf.exe`, Explorer will display it as `virus.pdf` and hide the exe suffix. Exes can have icons inside them, so you can make the exe icon look like the PDF icon. Clicking on it will execute the program and possibly do something terrible to your PC.

There are tricks using a range of unicode features to hide the exe suffix as well.

MS Office documents (word, powerpoint, excel) can have programs hidden inside them (macros written in a variant of VB) which can be used to attack you. Again, this is a mostly terrible idea, but here we are. They are disabled by default for documents downloaded from the web, but people can be tricked into enabling them.

PDFs allow embedded javascript and this can be used to attack your PC if you view the PDF in an insecure program.

**tldr:** computers are very complex and have piles of mostly useless features accumulated over decades, many of which can be repurposed to make you miserable.

PDFs are not just pure documents. For example if they have a signable field it’s using macros that are stored as Javascript code.

This code can be malicious. So your Adobe Reader will run this script if you allow it to and this script can then do harm.

By default you will get a warning if you want to run this code, but plenty of people will just click accept.

Yes, PDF inside chrome is safe. The rendering library they use is very well tested and secure.

Windows hides file extensions by default (what a bad idea), so if you have a file called `virus.pdf.exe`, Explorer will display it as `virus.pdf` and hide the exe suffix. Exes can have icons inside them, so you can make the exe icon look like the PDF icon. Clicking on it will execute the program and possibly do something terrible to your PC.

There are tricks using a range of unicode features to hide the exe suffix as well.

MS Office documents (word, powerpoint, excel) can have programs hidden inside them (macros written in a variant of VB) which can be used to attack you. Again, this is a mostly terrible idea, but here we are. They are disabled by default for documents downloaded from the web, but people can be tricked into enabling them.

PDFs allow embedded javascript and this can be used to attack your PC if you view the PDF in an insecure program.

**tldr:** computers are very complex and have piles of mostly useless features accumulated over decades, many of which can be repurposed to make you miserable.

You could create a PDF that doesn’t conform to the PDF standard. Your special PDF could exploit a bug in a PDF reader app. Maybe a bug that lets you run code or open a webpage without asking the user when it is fed a specially created file.