PDF Malware Scanner | JavaScript + Macro | LegalAudit

Modern PDF malware is rarely a simple virus. It's a launcher: a stripped-down PDF that triggers a system call, opens a remote URL, or pivots to an Office macro the moment you click 'Yes' on a permission prompt. Most antivirus engines miss it because the PDF itself is technically valid — Adobe parses and renders it perfectly. The PDF Malware Scanner unpacks the file the way a forensic analyst would: object by object, stream by stream, decoded JavaScript and decoded launch actions in plain English.

Unlike VirusTotal or Hybrid-Analysis, nothing is shared with security vendors or detonated in third-party sandboxes that could leak sensitive content (legal contracts, medical reports, financial statements). The PDF is parsed locally in our Swiss-hosted pipeline, the object tree is reconstructed in memory, then discarded. If you choose to generate the forensic dossier, we keep a hash-locked copy with the analysis attached; otherwise the file is gone within 24 hours.

How it works

Upload the PDF

Drag-and-drop the suspicious PDF into Mythos. Max 50 MB on free plan, 200 MB on Pro. We accept any PDF version (1.4 to 2.0) plus encrypted PDFs with the password.

Wait ~15 seconds for parsing

Mythos extracts the object tree, decodes each stream, decompiles any embedded JavaScript, and follows action chains. Average time: 12-18 seconds for a 5 MB PDF.

Read the structured verdict

You get GREEN / AMBER / RED, a list of the specific suspicious objects with byte offsets, decoded JavaScript snippets in plain text, and a recommendation (block / sandbox / open with caution).

Generate the dossier (optional)

For incident-response documentation or to forward to your SOC team, generate the forensic dossier — hash of the original PDF, the decoded objects as exhibits, and a CVE-style write-up.

What we detect

Embedded JavaScript with obfuscation (eval, fromCharCode, escape)

Launch action triggers (cmd.exe, powershell.exe, mshta)

OpenAction auto-executing on file open

URI / GoToR actions pointing to suspicious domains

Embedded files (EmbeddedFile streams) including Office macros

Form XObject + AcroForm exploitation patterns

Suspicious filter chains (FlateDecode + ASCIIHexDecode obfuscation)

PDF/A vs PDF discrepancies suggesting tampering

Stream entropy outliers (encrypted payload markers)

Cross-reference table corruption suggesting injection

Frequently asked questions

How is this different from VirusTotal?

VirusTotal shares uploads with 60+ AV vendors and can be searched by anyone with API access — that's a leak vector for confidential documents. We do the analysis locally, in-memory, in our Swiss pipeline. Nothing is forwarded to AV vendors or third-party sandboxes. The verdict is also more interpretable: instead of '5 of 70 engines flagged', you get the specific decoded JavaScript snippet that triggered the call, with byte offsets you can verify yourself.

Can the scanner handle encrypted PDFs?

Yes, if you provide the password. We decrypt in-memory, parse, then discard the decrypted form. The hash we keep is the encrypted original. For password-protected PDFs you don't have the password to, we can still inspect the catalog and unencrypted metadata, which often reveals the threat vector even without full decryption.

What happens if my PDF is genuinely malicious?

Mythos parses but never executes. There's no Acrobat Reader running on our backend, no JavaScript engine, no launch action triggered. The malicious payload remains inert text. You get the verdict, the decoded payload as evidence, and a recommendation to delete the file, change passwords if you already opened it, and run a full system scan with your endpoint AV.