A method for analyzing a document may include obtaining a runtime model for an application used to process the document, extracting, from the document, code blocks each including statements, and generating, using the runtime model, a result including a series of abstract states for each statement of a code block. Each abstract state may include a series of abstract values each corresponding to concrete values. The method may further include determining, using the result and the runtime model, whether the document includes potentially malicious code.