At CPDL (http://www.cpdl.org
) we analyzed this subject for scores hosted on our servers. According to http://blog.didierstevens.com/programs/pdf-tools/
most suspicious pdf files may be identified if they include both /AA
statements, as they indicate an automatic action to be performed when the page/document is viewed.
I intended to implement a script that performs this check for all CPDL files. Unfortunately this activity is in my pipeline since a long time...
Anyway, I'm ready to share it with IMSLP when ready.