Guide
Check a PDF before opening it
PDFs often look harmless, but they can contain active actions, embedded files, external links, and hidden text. A local pre-check helps surface those signals.
When is this relevant?
This check is relevant whenever a file arrives unexpectedly, comes from email, messenger, download portals, or AI workflows, or should be cleaned before forwarding.
It matters most for urgent-looking files, unknown senders, or files that would otherwise be opened in apps that interpret active content.
What risks can exist?
Common risks include misleading filenames, active content, external loading targets, hidden metadata, suspicious archive paths, invisible Unicode characters, and prompt instructions for AI systems.
The exact assessment depends on the file type. ScanBeforeOpen therefore shows signals and recommendations, not a complete safety promise.
How does ScanBeforeOpen help?
The file is checked locally in the browser. There is no upload and no execution of the original file.
The result starts with a plain recommendation. Technical details, safe preview, and cleaned exports appear only where they make sense for the file type.
Exactly what is checked
PDF header and extension are compared so renamed file types stand out.
Raw PDF signals such as /JavaScript, /OpenAction, /Launch, /EmbeddedFiles, /AcroForm, and /URI are searched.
Preview renders pages through canvas and does not directly embed the original file.
What to look for
Important signals include JavaScript, OpenAction, Launch actions, embedded files, RichMedia, XFA forms, and external destinations.
Metadata, form submissions, and hidden text matter when a file is forwarded or shared with AI systems.
Safe preview
A PDF should not be displayed directly through iframe, embed, or object. A controlled canvas preview with a page limit is safer.
Critical findings should require an intentional confirmation before preview.
For AI workflows
Extracted text can include hidden instructions that tell a model to ignore safety rules.
Use cleaned text excerpts and check for prompt-injection patterns or invisible Unicode characters.
A safer everyday review flow
Start with the source: Was the file expected, does the context make sense, and can the sender be confirmed through a second channel? Technical findings matter more when the social context is weak.
Then review filename, extension, size, magic bytes, and visible warnings. Do not open the original in another app while you are still assessing it.
If you need to share the content, prefer a cleaned export or a report over the original file. That reduces metadata, active content, and unintended remote-loading behavior.
When to escalate
After critical findings or several high-risk findings, do not open the file directly. This is especially important for resumes, invoices, contracts, archives, and files framed as urgent.
In organizations, a red result should go to IT support or security owners. Individuals should use professional antivirus or an isolated environment when uncertainty remains.
A green result only means no obvious known risk patterns were found. It is not a guarantee and does not replace approval for confidential content.
Document without spreading risk
When reporting a suspicious file, capture source, filename, time, and findings. Avoid uploading the original file into chats or unknown online services.
Screenshots or a local security report are often enough to decide the next step without redistributing the original.
Practical checklist
- Compare extension and magic bytes
- Check for /JavaScript, /OpenAction, /Launch, and /EmbeddedFiles
- Review external links before opening
- Clean text before AI use
- Do not open directly after critical findings
Clear limits
A browser check does not replace professional antivirus or a malware VM. Encrypted or heavily obfuscated PDFs can only be assessed partially.
FAQ
Is a PDF safe when no finding appears?
No. It only means no obvious risks were found. Continue to trust only known sources.
Why not preview the original PDF?
Direct embedding can handle active content or external resources differently from a controlled preview.
Why scan locally instead of uploading?
Local scanning reduces privacy risk because the original file stays on your device and is not transferred to an unknown service.
Received a suspicious file?
Scan it locally before opening, extracting, forwarding, or feeding it to an AI system.
Open scanner