SQL Injection vulnerabilities are old-hat, but there are many web applications in production that are still prone to this flaw. One subclass of these are websites that serve PDF documents from dynamically-built URLs. We demonstrate that, in certain cases, trusted websites prone to SQLi that also deliver binary file content such as PDFs can be used surreptitiously for stealthy data extraction and obfuscated malware delivery, even when database security is otherwise configured properly. The talk is based on findings from a real-world application penetration test.