In some situations, an AntiVirus engine may detect PDF files as BAT. If the AntiVirus is configured to block BAT, the PDF file will then be blocked :

date=[REDACTED] time=[REDACTED] id=[REDACTED] itime=[REDACTED] euid=3 epid=[REDACTED] dsteuid=[REDACTED] dstepid=[REDACTED] logver=704032573 sfsid=[REDACTED] logid=1900064000 type="utm" subtype="file-filter" service="SMTP" proto=6 srcip=[REDACTED] dstip=[REDACTED] eventtime=[REDACTED] srcport=[REDACTED] dstport=[REDACTED] policyid=[REDACTED] sessionid=[REDACTED] filesize=[REDACTED] srcintfrole="wan" dstintfrole="lan" direction="outgoing" action="blocked" level="warning" msg="File was blocked by file filter." srcintf=[REDACTED] dstintf=[REDACTED] from=[REDACTED] to=[REDACTED] eventtype="file-filter" sender="[REDACTED] recipient=[REDACTED] subject=[REDACTED] profile="File Blocked" filename=[REDACTED].pdf" filetype="pdf" matchfiletype="javascript" tz="+0800" attachment="yes" srcuuid=[REDACTED] dstuuid=[REDACTED] policytype="policy" srccountry="Malaysia" dstcountry="Reserved" poluuid=[REDACTED] devid=[REDACTED] vd=[REDACTED] csf=[REDACTED] dtime=[REDACTED] itime_t=[REDACTED] devname=[REDACTED] srcuuid_name=all dstuuid_name="Email Server"

This is due to signature matching on the AntiVirus engine. An update on the signature can be done manually by running the following commands on CLI: 

diagnose debug application update -1
diagnose debug enable

execute update-now

The update is done once 'UPDATE successful' is seen on the debug. To stop the debug, run 'diagnose debug disable'.

To check the current signature version, run 'diagnose autoupdate versions | grep -A6 Virus':

Virus Definitions
---------
Version: 92.18344 signed
Contract Expiry Date: Sun Oct 5 2025
Last Updated using manual update on Mon Oct 28 10:03:50 2024
Last Update Attempt: Mon Oct 28 10:03:50 2024
Result: Updates Installed

If the issue persists, create a ticket with Fortinet TAC and share the PDF file for further troubleshooting.