Short answer: Yes Slightly longer answer: The malicious payload is usually delivered through an exploit targeted at the viewing platform... For example: I could embed a virus or worm into a PDF but it would have to be able to escape the Acrobat sandbox where you are viewing it. Best defense is to use an alternate viewer (like Foxit, though that is not always safe) I don't trust browsers like edge or chrome. Other options include a different OS like MacOS or Linux. Or a remote viewing web app, where the PDF is actually opened in the cloud. If I have a high level of suspicion, I'll upload the file to Virus Total before opening. GL

There are some obscure ways to add JavaScript but I have no idea how well implemented this is.

Yes, through embedded macros, inserted JS, and bundling/embedding an executable then having the PDF begin execution. These are well-known attack vectors. Do not allow the reader to execute Non-PDF files using external applications. Disable Java Script and macros. If you must read files you don't trust, containerize them. There are plenty of guides on setting up containers specifically for malware. * Setup a VM with a clean snapshot, or a docker container. * View what you need to. * You might use pdftotext, then export the txt file. This will leave any images behind. Which is just as well due to exotic attack vectors. * When you are finished, delete any changes to the container.

keep a distance of six feet away from the pdf if you want to be safe.

Yes. If you'd like to know more I suggest reviewing the security options and preferences in adobe reader, and researching the ramifications of turning those off. Also, consider what may happen from running an unpatched version of adobe (eg a flaw is discovered, adobe sends out an update, some users don't update and are henceforth targeted and vulnerable to what was patched). I believe the original PDF format & application were to be a complete alternative to a the web, with game severs , multi media and more. External resources may compromise your computers ID (hardware fingerprint, MAC address, IP address) Saving and sharing a pdf may also share your computer name, username and more. (Meta data)

Yes. There have been numerous flaws with adobe reader, including recent versions that could allow some malicious code to run.

Yep. All PDF viewers essentially use the same rendering engine. Yet another instance of companies taking open source libraries, forking them, and not addressing any potential underlying vulnerabilities. There are probably zero days yet to be discovered in every application that renders files in PDF. The problem is the interpreter. If you are interpreting input, code can be executed arbitrarily. If you want to execute a PDF that you believe may have a malicious payload, you would want to do it in a sandboxed environment. Generally, when an exploit successfully executes, it will attempt to contact C2 servers for instructions or malware distribution points to pull other nasties down. Run in a VM, with no internet connectivity. You may be good then. However, VM breakouts are a big category of vulnerability that is in high demand. If there is a VM breakout that targets your platform you are running in, you are still screwed.