Malware can be embedded in just about anything. PDFs and other documents are a common vector. While scripts and executables are obviously a greater risk, it’s pretty easy to mask malware as those files as well.
For something like a PDF, macOS would open Preview, or some other PDF-handling app, to handle it if the user opens it in the Finder. So the PDF would have to have code in it that exploited some security weakness in the associated app that would cause the code to be executed, correct?
