PDFs can contain embedded JavaScript that executes when the document is opened. Attackers use this to exploit vulnerabilities in PDF readers, redirect to phishing sites, or download malware. Look for /JS, /JavaScript, and /OpenAction entries.
VBA (Visual Basic for Applications) macros can execute arbitrary code when enabled. Malicious macros are the most common document-based attack vector. They're stored in vbaProject.bin inside the ZIP structure of DOCX/XLSX/PPTX files.
DDE (Dynamic Data Exchange) allows Office documents to execute commands without macros. A DDEAUTO field can run cmd.exe or PowerShell when the document is opened. Modern Office versions prompt before executing DDE, but older versions don't.
DOCX files can reference external templates via relationships. An attacker can point a template URL to a malicious .dotm file that contains macros, which are then loaded and executed when the document opens.
ActiveX controls in Office documents can execute native code. They're one of the most dangerous features and are frequently disabled by security policies.
Yes. DocScan processes files entirely in your browser. No files are uploaded to any server. The scanning code runs locally using JavaScript.
PDF, DOCX, XLSX, and PPTX files.
No. DocScan detects common document-based threats like JavaScript, VBA macros, DDE, ActiveX, and template injection. It is not a full antivirus and should be used alongside other security tools.
DDE (Dynamic Data Exchange) is a protocol that can be abused to execute commands in Office documents without macros. Attackers use DDEAUTO fields to run malicious commands when a document is opened.