Researchers from FishNet Security developed a new attack technique against websites that serve up binary file content like PDFs from dynamically built URLs. The technique they developed was precipitated by a real-world penetration test and code review conducted by Shawn Asmus and Kristov Widak. Their methods give attackers the means to stealthily extract data and serve up hidden malware by attacking SQL injection vulnerabilities on these types of sites. They also believe that it could be used against Web applications that deliver other content types beyond PDF.”]
Source: https://www.darkreading.com/database-security/serving-up-malicious-pdfs-through-sql-injection