It is dependent on the PDF program and how it handles loading external content. The same is true for word documents, if they have a picture hotlinked from a website in them and you open them, and don't have the document viewer configured to go through Tor, it will make a direct connection to the server the image is on. It is hardly hacking it is just taking advantage of peoples lack of knowledge of applications to trick them into revealing their IP addresses. These are called proxy bypass attacks. There are some really subtle ones. Don't drag and drop pictures from the browser to desktop if you use Unity.