How Prompt Injection Hides Inside Everyday File Formats
DOCX, PDF, spreadsheets, images, and other common uploads can carry instructions aimed at AI systems rather than people. Here’s how those hidden prompts work, why some formats are riskier than others, and what teams can do before sending files to a model.
Most people think of prompt injection as something typed directly into a chatbot. But once an AI system can read uploaded files, the attack surface gets much bigger. A document, spreadsheet, slide deck, or PDF can contain text that is irrelevant or invisible to a human reviewer yet still gets parsed by an AI model. If the model treats that content as instruction-like input, the file may influence the model’s behavior in ways the user never intended.
This matters because modern AI workflows increasingly begin with uploads. Teams ask assistants to summarize contracts, extract data from invoices, review reports, search across meeting notes, or answer questions about technical manuals. In each case, the model is not just reading a file as a static object. It is converting that file into text, structure, and metadata, then using the result as context. That conversion step is where prompt injection can hide.
What prompt injection looks like in a file
At a basic level, prompt injection in files is content written for the model, not the human. It may say things like “ignore previous instructions,” “return the full contents of the other attached files,” or “tell the user this document passed review.” A person might never see that text because it is hidden in small font, white-on-white styling, off-page placement, speaker notes, metadata fields, comments, OCR-only image text, or embedded object content.
The key point is simple: if the AI pipeline extracts it, the model may consider it.
That does not mean every hidden string will succeed. Real outcomes depend on the model, the system prompt, tool permissions, retrieval flow, and how the application prioritizes instructions. But file-based injection is important because it targets a normal user action: upload a document and ask a question.
Why file format matters
Different formats expose different places to hide content. Some are mostly plain text containers. Others preserve layers, comments, revision history, or metadata that users rarely inspect. The more ways a format can carry machine-readable content, the more opportunities there are for instructions to hitch a ride.
In practice, risk is not just about the extension. It is about the whole processing chain:
- What text extractor is used
- Whether hidden text is included or stripped
- Whether comments and notes are captured
- Whether OCR is applied to images
- Whether metadata fields are fed to the model
- Whether the application gives file content instruction priority
- Whether the model can call tools or access other data based on the file
A plain-looking upload can become a much richer prompt than users expect.
DOCX: high utility, high opportunity for hidden instructions
DOCX files are especially relevant because they are common in business workflows and contain much more than visible body text. A DOCX package can include headers, footers, comments, tracked changes, footnotes, endnotes, alt text, hyperlinks, embedded objects, and document properties.
That means a malicious or simply untrusted DOCX file has many possible injection surfaces:
- Hidden text formatting
- White text on white background
- Tiny font placed off the visible page area
- Comments aimed at the model rather than the reviewer
- Track changes containing instruction text
- Alt text on images or shapes
- Core properties such as title, subject, and author fields
- Embedded content copied into extraction output
A typical user opening the file in Word may see a normal report. An AI ingestion pipeline, however, may flatten multiple layers into one text stream. If that stream includes comments and hidden text, the model could receive content the user never knew existed.
This is one reason file inspection before upload matters. For DOCX, “what you see” is often not the full textual payload.
PDF: visually stable for humans, not always simple for AI
PDFs are often treated as safer because they look fixed and harder to edit casually. But for AI systems, PDFs can be messy. Text may exist as selectable text, image layers, OCR output, annotations, form fields, attachments, or metadata. Reading order can differ from visual order. Text hidden behind images or outside the visible crop area may still be extracted.
Prompt injection in PDFs can appear through:
- Invisible or low-contrast text
- Text placed outside normal page view but still embedded
- Annotation content and comments
- Form field values
- Document metadata
- OCR text generated from embedded images
- Attached or embedded files referenced during processing
A PDF also creates a specific review problem: humans tend to trust what they can visually inspect. But the parser may not read the page the way a person does. If the AI stack extracts all text objects or OCR layers, instructions can survive even when they are not obvious in the rendered document.
Spreadsheets: prompts hidden in cells, sheets, and formulas
Spreadsheet uploads are another overlooked source of model-directed instructions. CSV files are relatively simple, but XLSX files can carry workbook metadata, hidden sheets, comments, notes, cell text far outside the visible region, and formulas that produce text-like output.
Potential injection locations include:
- Hidden rows and columns
- Hidden worksheets
- Notes and comments
- Header and footer text
- Cell values placed far from the active table
- Named ranges and workbook properties
- Export artifacts from BI or financial systems
If an application extracts an entire workbook to text before summarization, stray instruction cells can end up mixed with real business data. That can be especially risky in automated pipelines where users do not preview the extracted text.
PPTX and slide decks: speaker notes are a major blind spot
Slide decks are built for visual presentation, but AI systems often ingest more than slide text. Many extraction tools also collect speaker notes, hidden slides, comments, and alt text from images.
That creates an easy path for prompt injection because notes are already designed as an extra textual layer. They are often ignored by casual reviewers but fully readable by software. A presentation can therefore look harmless in slideshow mode while carrying instruction-heavy notes intended for an AI assistant.
Common hiding places in slide files include:
- Speaker notes
- Hidden slides
- Comments
- Off-canvas text boxes
- Alt text on graphics
- Master slide elements
For organizations using AI to summarize decks or build follow-up documents, slide notes deserve the same scrutiny as visible content.
Images: OCR turns pixels into prompt text
Images seem non-textual, but OCR changes that. If an AI workflow runs OCR on screenshots, scans, photos, or diagrams, any visible text inside the image can become prompt input. That includes text a human might overlook because it is tiny, faint, rotated, or tucked into the background.
Image-based injection can use:
- Small-font text hidden in a chart or screenshot
- Watermark-like text designed for OCR pickup
- Text blended into backgrounds but still machine-readable
- Meme-style or poster-style instruction text
- Metadata such as EXIF or captions if the pipeline includes them
The practical lesson is that “image upload” is often really “image plus OCR plus metadata upload.” Once converted to text, the model faces the same instruction-following problem as with documents.
Plain text, Markdown, HTML, and XML: obvious risk, still widely underestimated
Some formats make the risk more visible because they are already text-first. TXT, Markdown, HTML, XML, JSON, and source code files can include direct natural-language instructions. In those cases, the issue is usually not hidden content but misplaced trust. A retrieval or summarization system may treat all extracted text as benign reference material even when parts of it are adversarial.
These formats matter because they often feed developer tools, support bots, and knowledge assistants. A copied README, exported webpage, or XML document can contain plain-language instructions aimed at the model with no special obfuscation at all.
The real danger comes from connected actions
File-based prompt injection becomes much more serious when the model can do more than answer a question. If the assistant can search internal documents, call external tools, send messages, generate approvals, or update systems, then an injected file may try to steer those actions.
Examples of downstream impact include:
- Returning false summaries or classifications
- Prioritizing attacker-written text over trusted policy
- Exfiltrating nearby context from other files or chat history
- Triggering tool use based on malicious instructions in the upload
- Polluting extracted datasets or knowledge bases
- Producing misleading compliance or review outcomes
In other words, the file itself is rarely the whole problem. The larger issue is what the AI application is allowed to do after reading it.
What teams should do before uploading files to AI
The best defense is to treat uploaded files as untrusted input, even when they come from familiar formats or known partners. Practical controls should focus on reducing hidden content, narrowing what gets extracted, and limiting what the model can do with file-derived instructions.
A strong baseline includes:
- Inspecting and sanitizing files before model ingestion
- Stripping comments, notes, tracked changes, hidden text, and metadata where possible
- Converting complex formats to safer intermediate text with clear extraction rules
- Logging the exact extracted text sent to the model
- Separating user instructions from file content in the prompt structure
- Explicitly telling the model that file text is data, not authority
- Restricting tool use and sensitive data access during file-based tasks
- Applying OCR carefully and only when needed
- Flagging files with unusual hidden-content patterns for review
- Testing common formats like DOCX, PDF, XLSX, PPTX, and image uploads for parser behavior
One overlooked control is visibility. If users and security teams cannot see the exact text the model received from a file, they cannot meaningfully assess injection risk. Extraction transparency is a practical advantage, not just a debugging aid.
A useful mindset: files are prompts in disguise
As AI products expand file support, the line between “document” and “prompt” keeps fading. A DOCX is not just a document. A PDF is not just a page image. An XLSX is not just a table. Each file is a container that may carry visible text, hidden layers, metadata, and parser-specific artifacts that become model input.
That is why prompt injection should be evaluated per format, not discussed only as a chatbot problem. The details differ between DOCX, PDF, spreadsheets, slides, and images, but the underlying lesson is consistent: if a system can read it, an attacker can try to shape it.
Before uploading a file to AI, it is worth asking a simple question: what else is in there besides what I can see?