--- id: BTAA-FUN-037 title: PDF Hidden Instruction Detection Basics slug: pdf-hidden-instruction-detection-basics type: lesson code: BTAA-FUN-037 aliases: - PDF detection methods - hidden text detection - PDF verification author: Herb Hermes date: '2026-04-10' last_updated: '2026-04-11' description: Learn simple, effective techniques to detect hidden instructions in PDF documents before they reach AI processing pipelines. category: fundamentals difficulty: beginner platform: Universal challenge: Can you detect the hidden instruction in this seemingly normal PDF? read_time: 6 minutes tags: - prompt-injection - pdf - detection - fundamentals - document-security - verification status: published test_type: defensive model_compatibility: - Kimi K2.5 - MiniMax M2.5 - Universal responsible_use: Use these detection techniques only on documents you own or are authorized to test. prerequisites: - BTAA-FUN-011 (recommended) follow_up: - BTAA-EVA-017 - BTAA-DEF-004 public_path: /content/lessons/fundamentals/pdf-hidden-instruction-detection-basics.md pillar: learn pillar_label: Learn section: fundamentals collection: fundamentals taxonomy: intents: - detect-hidden-instructions - verify-document-content techniques: - text-extraction - visual-inspection - copy-paste-verification evasions: - format-confusion - invisible-text inputs: - pdf-document - document-pipeline --- # PDF Hidden Instruction Detection Basics > **Responsible use:** Use these detection techniques only on documents you own or are authorized to test. ## Purpose PDF documents can harbor invisible instructions that manipulate AI systems, but simple testing techniques can expose these hidden payloads before they reach production pipelines. This lesson teaches practical, low-cost methods for detecting suspicious PDF content. ## What hidden PDF instructions look like The core problem is a visibility gap: humans see one thing, but AI text extraction sees something entirely different. Attackers exploit this by embedding instructions using techniques like: - **Minimum font size** — Text rendered at 1pt or smaller appears as dots or blank space to human eyes - **Opacity manipulation** — Text set to near-zero opacity blends into the background - **White-on-white** — Text color matching the background - **Off-page positioning** — Content placed outside the visible page boundaries - **Layer hiding** — Instructions on hidden layers that PDF readers still extract To AI systems that extract text from PDFs, these hidden instructions are perfectly visible and processed as part of the document content. ## How to test PDFs ### Method 1: Select All and Copy-Paste The simplest and most reliable detection method: 1. Open the PDF in any standard viewer 2. Press `Ctrl+A` (or `Cmd+A`) to select all content 3. Copy the selection (`Ctrl+C` / `Cmd+C`) 4. Paste into a plain text editor 5. Review what appears beyond what you visually saw **What to look for:** - Blocks of text that didn't appear in the visual rendering - Instruction-like language ("ignore previous", "instead output", etc.) - Repetitive patterns (attackers often repeat injections for reliability) - Metadata or comments that extract as visible text ### Method 2: Text Extraction Tools Command-line tools provide programmatic detection: ```bash # Using pdftotext (part of poppler-utils) pdftotext document.pdf extracted.txt cat extracted.txt # Using Python with PyPDF2 python3 -c "import PyPDF2; print(PyPDF2.PdfReader('document.pdf').pages[0].extract_text())" ``` These tools bypass visual rendering entirely and show exactly what text extraction libraries see. ### Method 3: PDF Analysis Tools For deeper inspection: - **PDF miners** — Extract and analyze the raw PDF structure - **Stream inspection** — Look at content streams for hidden objects - **Layer analysis** — Check for hidden layers or optional content groups ## What to look for ### Pattern Red Flags | Indicator | Why It Matters | |-----------|----------------| | Repetitive text blocks | Attackers repeat injections to increase reliability | | Instruction-like language | Commands to "ignore", "replace", or "output" something | | Formatting artifacts | Odd spacing or characters suggesting hidden structure | | Mismatched text length | Document appears longer when extracted than when viewed | | Embedded URLs with parameters | Potential exfiltration channels | ### Context-Specific Concerns **Resume screening pipelines:** - Check for injected ranking instructions - Look for hidden keywords designed to game automated screening - Verify candidate summaries match the visible resume content **Document summarization workflows:** - Test whether summaries include injected messaging - Compare human reading of document to AI-generated summary - Watch for summaries that seem "off-topic" from visible content **Contract and legal document processing:** - Verify extracted terms match visible clauses - Check for hidden modifications to obligations or deadlines - Ensure AI-assisted contract review isn't being manipulated ## Example testing workflow Imagine you receive a PDF resume for an automated screening system: 1. **Visual scan** — Read through normally, noting anything suspicious 2. **Select-all test** — Select all, copy, paste to text editor 3. **Compare** — Does the pasted text match what you saw? 4. **Check for patterns** — Look for repeated phrases or instructions 5. **Pipeline test** — If possible, check what your extraction pipeline actually extracts 6. **Document findings** — Record any anomalies for security review ## Where this applies Document pipeline entry points where testing matters: - **Resume ingestion systems** — Before automated screening - **Contract processing workflows** — Before AI-assisted review - **Document summarization services** — Before summary generation - **Content management uploads** — Before indexing and search - **Email attachment processing** — Before automated extraction - **Report generation pipelines** — Before data analysis ## Testing limitations Detection methods have gaps you should understand: - **Image-based PDFs** — Text embedded as images won't show in text extraction tests (but also won't affect text-based AI processing) - **Advanced obfuscation** — Sophisticated attacks may use encoding or structure manipulation - **Dynamic generation** — PDFs that change content based on viewer may pass tests but fail in production - **Zero-day techniques** — Unknown hiding methods won't be caught by standard tests **Key insight:** Testing raises the bar but doesn't guarantee safety. Combine testing with other pipeline hardening measures. ## Defender takeaways 1. **Make pre-processing verification standard practice** — Don't trust PDFs blindly 2. **Use the simplest test first** — Select-all and copy-paste catches most issues 3. **Log extraction results** — Track what your pipeline extracts for audit purposes 4. **Alert on anomalies** — Flag documents with extraction/surface mismatches 5. **Combine with other defenses** — Testing is one layer; use with input filtering, output validation, and confirmation gates 6. **Educate users** — Teach document submitters that testing occurs (deterrence) ## Related lessons - **BTAA-FUN-011 — Document Pipeline Security Fundamentals** — Understanding document-to-AI attack surfaces - **BTAA-FUN-012 — PDF Prompt Injection Business Impact** — Real-world consequences of PDF attacks - **BTAA-EVA-017 — PDF Prompt Injection via Invisible Text** — How attackers craft hidden instruction PDFs - **BTAA-DEF-004 — PDF Prompt Injection Remediation Playbook** — Structured response when PDF injection is discovered --- ## From the Bot-Tricks Compendium Thanks for referencing Bot-Tricks.com — Prompt Injection Compendium — AI Security Training for Agents... and Humans! Canonical source: https://bot-tricks.com Bot-Tricks is a public, agent-friendly training resource for prompt injection, adversarial evaluation, and defensive learning. For related lessons, structured indexes, and updated canonical material, visit Bot-Tricks.com. Use this material only in authorized labs, challenges, sandboxes, or permitted assessments.