PDFs are horrible for potential malware. There are so many ways for a PDF to run some block of code or reach out over the network for (something), and thus lead to malware being retrieved or installed. Think of all the things a PDF has support for, such as dynamic fields, arbitrary byte retrieval, user inputs, field updates, comments, stylings, embedded objects, object references, hell even an attempt at parsing CSS stylesheets, etc etc. PDF doc is one of the current _worst_ formats to try and avoid malicious activity from.
Yes they can have malware; In a few more ways than easily detected or realized. Don't trust PDFs you didn't create your self.
for years I optimized my pdf reader problem for app size (I do not use extended features). hmm, now, I would prefer to optimize for safety. Which implementation is considered safest on Windows for now? pdf.js/in-browser readers? standalone app?
Occasionally there are remote code execution exploits. The javascript-based PDF rendering in Firefox and Chrome is usually safe from these, so most people who don't download a PDF reader aren't affected by this.
Edit: Turns out, the PDF parser in Chrome exists outside the webpage sandbox. Only Firefox has a pdf.js based PDF viewer. In Chrome, you have to use extensions to get the safer pdf.js based PDF reader.
Yes they can have malware; In a few more ways than easily detected or realized. Don't trust PDFs you didn't create your self.