Found line with both /JS and /OpenAction: /JS () >> /OpenAction << /S /JavaScript /JS (app.alert('Hacked!')) >>)
[VULNERABLE] Payload injection confirmed!
The /OpenAction was injected into the PDF structure.