This pdf has a simple javascript that displays a popup when opening the file.
It has been created with Acrobat on windows, no manual manipulation and no special tool.
Exefilter (pdfid) does not detect the /JavaScript and the /JS tags, therefore they are not disarmed.
These tags are embedded in an obj within the pdf.
<< /Type /ObjStm /Length 1462 /N 8 /First 50 >>
stream
5 0 6 127 7 151 8 182 9 280 10 535 11 919 12 1180
<< /DA (/Helv 0 Tf 0 g ) /DR << /Encoding << /PDFDocEncoding 29 0 R >> /Font << /Helv 27 0 R /ZaDb 28 0 R >> >> /Fields [ ] >>
<< /JavaScript 7 0 R >>
<< /Names [ (Hello) 8 0 R ] >>
<< /JS (app.alert\({cMsg: "JavaScript action: hello", cTitle: "demo title"}\);) /S /JavaScript >>
<< /Ascent 1026 /CapHeight 632 /Descent -312 /Flags 32 /FontBBox [ -503 -312 1240 1026 ] /FontFamily (Calibri) /FontFile2 30 0 R /FontName /OKZOSG+C
<< /BaseFont /OKZOSG+Calibri /Encoding /WinAnsiEncoding /FirstChar 32 /FontDescriptor 9 0 R /LastChar 117 /Subtype /TrueType /ToUnicode 31 0 R /Type
<< /Ascent 1039 /CapHeight 632 /Descent -349 /Flags 32 /FontBBox [ -519 -349 1263 1039 ] /FontFamily (Calibri) /FontFile2 32 0 R /FontName /UBZYYU+C
<< /BaseFont /UBZYYU+Calibri-Bold /Encoding /WinAnsiEncoding /FirstChar 97 /FontDescriptor 11 0 R /LastChar 118 /Subtype /TrueType /ToUnicode 33 0 R
endstream
endobj