If you don’t have file extensions shown (not the default setting in Windows) then you might actually be dealing with notavirus.pdf.exe, a program that happens to have the same icon as Adobe Reader. You could even call it… an impostor ඞඞඞඞඞඞඞ

The other option is of course abusing some weakness in the way PDFs (or more accurately, PDF readers) work. PDF is a very complex file format, and throughout the history of Adobe Reader and similar software, there have been incidents where maliciously crafted PDF files could trick the program reading them to accidentally overwrite parts of its running code with malicious commands (buffer overflow) and other such errors. IIRC a big one was related to a specific internal compression used to make PDFs with included images/fonts/etc smaller?

EDIT: [Here’s a list of Adobe Reader’s known historical vulnerabilites](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=adobe+reader). There’s apparently a newishly discovered one [that concerns version from this March and earlier](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26425) that can be used to trick the program into running code it shouldn’t be.

1. It might not be a PDF file, but an executable file disguised as a PDF. File extension shenanigans are the easiest way to achieve this (eg. virus.pdf.exe), especially on Windows which uses the file extension to determine the file type, but hides extensions by default.
2. The PDF may be crafted in such a way as to exploit security vulnerabilities in specific PDF reader software and allow the arbitrary execution of embedded code. Really any file can do this, images, audio, text files etc, as long the the software opening it has a sufficient weakness and happens to be the one you use.
3. Adobe’s ~~bastardisation~~ enhancement of the PDF format adds the ability to embed scripting and other advanced functionality into documents, which can be exploited to perform malicious activity.

PDF has become a very complex file format. It can embed any sort of data, included scripts. So an attacker can well embed a malicious program in a PDF document.

> How can a document, which only interactions should be to navigate between sections and open hyperlinks, have viruses that steal victims credentials.

Regular PDFs can’t. Like you said, there’s no way for something that contains only text, images and hyperlinks to transmit a virus, or rather no way that we *know* of.

The danger lies in three things: Hiding file extensions, Web-Based PDFs, and clicking links.

Hackers can use the “.pdf” to hide file extensions like “.exe” and “html” at the end of a file which can very well run a viral script on a computer. Example: A hacker can name a file “Script.pdf.exe”, which is an exe file. They know that if someone sees a file named this then they’d suspect something is up and wouldn’t open the file. So what they’ll do is *hide* the “.exe” extension so people only see “.pdf” unless they take a closer look at the file and they’ll give the program the icon of a pdf. Hiding file extensions isn’t a bad thing in and of itself, windows uses it so they don’t confuse consumers (you can disable it pretty easily), but people with more malicious intentions can use it to create a file that looks like one thing but does another.

The second danger lies in Web-Based PDFs. Not the ones you open in your browser, but the ones that have more sophisticated options like filling and signing digitally. Technically, these aren’t PDFs in this state but are converted to PDFs after they’re completed. The options they contain can be programmed to run hidden scripts on your browser.

The third (and probably most common) danger is clicking a link on a PDF that redirects you to a malicious website. It’s well known that you shouldn’t click links from sources you don’t trust, and a lot of apps stress this, but if there’s a link inside a PDF it can bring you to a website that can cause your computer to go haywire. In this case, it isn’t the PDF *itself* that contains the virus, it just served as a messenger for the origin of the real virus. If you didn’t open the link inside it you would be fine.

That being said, viruses like these are exceptionally rare. With improvements in cybersecurity and awareness of fishy links and scams, it is becoming more and more difficult to create and spread these kinds of dangers. Stay safe!