PDF files can be flagged as dangerous because, despite their common use for documents, they support complex features like embedded scripts (JavaScript), interactive forms, and links to external websites or files. Malicious actors exploit these capabilities to hide harmful code. The danger lies not in the standard format itself, but in the potential for these features to be used to download malware, steal information, or trick users into unsafe actions. This differs from simpler static formats like plain text files, which lack such active elements.

In practice, attackers use dangerous PDFs for phishing scams. For example, a seemingly legitimate invoice might contain JavaScript that silently downloads ransomware when opened. Another common tactic involves embedding links disguised as legitimate buttons ("View Document") that direct users to malicious websites designed to steal login credentials or infect systems. Email attachments are the most frequent delivery method across personal and business communications.

While PDFs offer valuable functionality, their potential for misuse presents significant security risks. Security software flags them as dangerous based on suspicious code patterns or behavior detection to prevent harm. The primary limitation and ethical concern involve protecting users from deception and data theft. To mitigate risks, use updated security software, enable restricted modes ("Protected View"), and only open PDFs from trusted sources. Awareness of these dangers remains crucial as attackers constantly refine their tactics.