A PDF can contain executable code. JavaScript that runs when the document opens, when pages turn, when form fields gain focus. Automated actions that trigger without user interaction. Hidden objects that launch external applications. Most PDFs contain none of these. When one does, it is usually legitimate: a form that auto-calculates totals, an interactive document that navigates based on user input, a presentation that advances slides automatically. But scripts and automation can also be malicious, hidden by someone who wants the document to do something the recipient does not expect.
Removing hidden scripts and automation from a PDF is a security precaution that should be applied to any document from an untrusted or unknown source before opening it fully, and to any document you are preparing to share with recipients who may use older or less secure PDF readers. The removal process is straightforward once you know where scripts can hide.
According to a 2025 threat report by SonicWall, PDF-based malware attacks increased by 42 percent between 2023 and 2025, with embedded JavaScript being the most common attack vector (SonicWall, "Cyber Threat Report," 2025). Most attacks targeted users with outdated PDF readers that executed embedded scripts automatically. The threat is real and the mitigation is simple: remove the scripts before they can execute.

Where Scripts and Automation Hide in a PDF
Scripts can be attached to multiple locations within a PDF structure. Each location is a separate hiding place that must be checked and cleaned individually. The table below catalogs the common locations and what types of automation typically appear in each.
| Location | Trigger Event | Typical Legitimate Use | Malicious Risk |
|---|---|---|---|
| Document-level | Document open, document close, document save, document print | Displaying a welcome message, validating the document on open, tracking when the document is printed | High: script executes immediately when the document is opened, before the user sees any content |
| Page-level | Page open, page close, page visible | Triggering animations or transitions when a specific page is displayed | Medium: executes when the user navigates to a specific page |
| Form field-level | Field focus, field blur, field change, field validate, field calculate | Auto-calculating totals, validating input formats, auto-formatting entered data | Medium: executes during normal form interaction; may capture keystrokes or modify entered data |
| Link-level | Link click, button press, mouse enter, mouse exit | Navigating to a URL, submitting form data, showing or hiding content | Low: requires user interaction to trigger; may direct to malicious URLs |
Try Protect PDF
No installation needed. Works directly in your browser.
Detecting Scripts Before Processing
Open the PDF in a reader that can display embedded scripts. Adobe Acrobat Pro includes a JavaScript editor that lists all scripts in the document with their locations and trigger events. Most browser-based PDF readers do not execute scripts, which protects your device during viewing, but also do not display them, which means you cannot audit what scripts exist. If you lack access to a script-auditing tool, assume any PDF from an untrusted source may contain scripts. The safest approach is to remove all scripts proactively rather than attempting to determine whether each one is benign. A script you cannot identify should be treated as potentially malicious.
The PDF Security principle for unknown scripts is removal, not evaluation. The cost of removing a benign script, typically the loss of some interactive functionality, is far lower than the cost of allowing a malicious script to execute.
Removing Scripts With Browser-Based Sanitization
Upload the PDF to a browser-based tool that offers flattening, sanitization, or security cleaning. These operations remove all interactive elements: scripts, form field logic, embedded actions, and links. The output is a static PDF that displays the same visual content but contains no executable code. Download the cleaned file and verify by opening it in a reader that supports scripts, confirming that no scripts remain. WukongPDF processes PDFs without executing embedded scripts. The Fix PDF platform strips interactive elements during processing, producing a clean, static output.
Preventing Script Introduction in Documents You Create
When exporting documents to PDF from authoring applications, check the export settings for options related to interactive elements. Disable JavaScript, macros, and embedded actions unless they serve a specific, documented purpose that the recipient expects. A form that auto-calculates totals should include only the calculation scripts. A presentation PDF should not include automatic actions the recipient cannot control. The default for any PDF you distribute should be static content with no executable code. Scripts and automation should be opt-in, not opt-out.
The PDF Tools approach to script hygiene is the same as for any security practice: default to the safest configuration and add interactivity only when it is necessary and the recipient expects it. A PDF that arrives without scripts is a PDF that cannot execute malicious code.
Distinguishing Benign Automation From Malicious Code
Most scripts in PDFs are not malicious. A form that auto-calculates a total from line items, a document that validates input formats on specific fields, or a presentation that navigates based on user interaction all use legitimate automation. The challenge is distinguishing these from malicious scripts when you lack the tools or expertise to audit the code. A practical heuristic: if the script's behavior is visible and predictable, such as a calculation that produces a value you can verify or a navigation action that responds to a deliberate click, it is likely benign. If the script's purpose is not obvious from the document's visible behavior, if it triggers on events the user does not control, or if it attempts to access external resources, it warrants removal. When in doubt, remove and accept the loss of functionality as the cost of security.
For documents you receive regularly from the same source, such as monthly invoices or weekly reports from a known vendor, establish trust incrementally. Process the first document with script removal enabled. Review the output for missing functionality. If the document works correctly without scripts, continue removing them from subsequent documents from that source. If the document loses essential functionality, such as a form that no longer calculates totals, identify the specific scripts that provide that functionality and whitelist them while removing others. Over time, you develop source-specific scripts policies that balance security with functionality.
The Limitations of Antivirus Scanning for PDF Scripts
Antivirus software can detect known malicious scripts through signature matching, but this approach has significant limitations. Signature-based detection only catches scripts that match known malware patterns. New or custom malicious scripts will not be detected. Antivirus software may also flag benign scripts that share surface-level characteristics with malware, producing false positives. Relying on antivirus scanning as the sole script detection method provides a false sense of security. The safest approach for PDFs from untrusted sources is script removal, not script evaluation. The cost of removing a benign script is the loss of some interactive functionality. The cost of allowing a malicious script that evaded detection is potentially much higher.
Try Protect PDF
No installation needed. Works directly in your browser.
