Back to Sandbox
HIGH RISK HEURISTIC File Inspection
/sandbox/findings/pdf-javascript

PDF Embedded JavaScript

The file contains JavaScript action markers in its PDF structure. No execution occurred — this is a structural observation.

The PDF specification allows documents to include JavaScript that executes when the file is opened, when a page is viewed, or when form fields are interacted with. These actions are embedded as dictionary entries using keys such as /JavaScript, /JS, and trigger containers like /OpenAction or /AA (Additional Actions).

This is a documented feature of the PDF format — not a bug. The same mechanism that powers interactive form validation also enables code execution without any user prompt beyond opening the file.

PDF JavaScript has a long history as an exploitation vector. It has been used to trigger memory corruption vulnerabilities in PDF readers (particularly Adobe Acrobat), silently drop secondary payloads, redirect users to phishing pages, and extract environment information — all without requiring the user to click anything beyond opening the document.

Even without an exploitable vulnerability, JavaScript in a PDF can submit form data silently, display deceptive overlays, or execute on viewer environments that expose a limited scripting engine. The presence of JavaScript in an unsolicited PDF is a meaningful indicator regardless of whether a known CVE is involved.

Legitimate JavaScript in PDFs is uncommon outside of purpose-built interactive forms from known enterprise software vendors. Phishing PDFs, dropper documents, and weaponized attachments regularly use it.

DETECTION METHOD
ShieldScope scans the raw PDF byte stream for the dictionary keys /JavaScript and /JS, as well as action trigger containers /OpenAction and /AA. Detection is based on byte-level pattern matching against the document body — no rendering, no PDF engine, no JavaScript execution occurs at any point during analysis.

This approach detects the structural presence of JavaScript markers. It does not analyze what the JavaScript does, whether it is obfuscated, or whether it would succeed against a given viewer. The scope is limited to: JavaScript marker present / not present.

HEURISTIC

The JavaScript marker itself is OBSERVED — it is directly present in the byte stream and independently verifiable. The HIGH RISK classification is HEURISTIC: JavaScript in a PDF strongly correlates with malicious use but is not exclusive to it. Interactive enterprise PDF forms occasionally include JavaScript legitimately. ShieldScope declares the structural observation and assigns HIGH severity based on the pattern; it cannot determine intent or whether the specific JavaScript payload is harmful without dynamic execution.

  • Do not open in a JavaScript-capable PDF reader unless you have verified the file's source and purpose. Adobe Acrobat and other full-featured readers execute PDF JavaScript by default.
  • Use a minimal renderer — browser built-in PDF viewers (Chrome, Firefox), Evince, or Sumatra PDF do not expose a full JavaScript engine and are lower-risk environments for inspection.
  • If the file arrived unsolicited — via email, download link, or messaging app — treat it as high risk. Submit to a dynamic analysis sandbox (any.run, VirusTotal sandbox, or similar) for behavioral analysis.
  • If from an internal system — confirm with the sender that the file is expected and that interactive form JavaScript is intentional before opening.
↗ Inspect a file in Sandbox