What can hide inside a PDF you didn't make

You receive a PDF from a supplier. You scroll through the pages, everything looks normal, and you forward it to your team. Later you upload it to an AI assistant for a quick summary.

What you could not see on those pages: two files embedded inside the document, and a JavaScript snippet set to run when the file opens.

What PDFs can carry beyond the visible pages

Three categories of non-visible content show up frequently enough to be worth knowing about:

Embedded file attachments. A PDF can contain other files bundled inside it: Word documents, spreadsheets, other PDFs, even executables. This is a legitimate feature used in legal filings and technical documentation. The problem is you may not know the attachments are there when you receive a file from outside your organization.

JavaScript. The PDF specification supports executable scripts. Acrobat and Adobe Reader can run JavaScript when a document opens, when a button is clicked, or when a specific page is viewed. Most modern PDF readers sandbox or disable this by default, but the code still travels with the file regardless.

Hidden annotations. Annotations with the Hidden flag set are attached to pages but not displayed during normal viewing. They can contain text, markup, or additional metadata that was deliberately or accidentally hidden rather than deleted.

Why this matters more when AI tools are reading your PDFs

When you upload a PDF to an AI assistant, summarizer, or document analysis tool, you are passing the full file structure, not just the rendered pages. If that file has embedded attachments, the AI service now has those documents too. If it contains JavaScript, the code is in the payload even if the AI platform does not execute it.

For files that move between organizations, contracts, supplier agreements, regulatory submissions, this is worth a quick check before the upload. You do not always control what ends up inside a PDF that was authored outside your team.

There is a second scenario that comes up more often: outbound sharing. If your authoring workflow produces PDFs with embedded attachments as part of a template or export setting, files you send out are carrying those attachments without you realizing it.

The difference between hiding content and removing it

Covering text with a white-filled shape or moving an element off the visible page area does not remove it from the PDF. The data is still in the file structure and is accessible to any tool that parses the document rather than just rendering it.

The same distinction applies to annotations and attachments. Marking something as hidden in the viewer is not the same as deleting it from the file. Actual removal has to happen at the structure level, rewriting the document without the object.

Cleaning a PDF before you share or upload it

PDFShore's strip hidden content tool scans for all three categories and removes what it finds: embedded attachments, JavaScript, and hidden annotations. The visible pages stay exactly as they are.

It runs in your browser, so the file does not need to be uploaded to clean it. If the scan finds nothing, the tool still saves a confirmed-clean copy so you have a record that the document was checked.

For files coming from outside your organization that you plan to share further or pass to an AI service, running this first is a small step that removes a real class of unknowns.