1 Introduction
Recognizing a malicious file is like spotting a counterfeit bill. At first glance it may look genuine, but trained eyes notice the subtle signs: something slightly off about the texture, the color, or the watermark. Malicious files use similar tricks -- they disguise themselves as harmless documents, images, or installers. Learning to spot these tricks is your first line of defense before any antivirus even gets involved.
94%
Of malware is delivered via email
.exe .scr .js
Most commonly abused file extensions
48%
Of malicious attachments are Office files
2 How It Works
Attackers use several techniques to make malicious files look innocent. Understanding these tricks is key to protecting yourself and your organization.
Common disguise techniques
Double extensions
The file is named "invoice.pdf.exe" -- Windows hides the real .exe extension, so you only see "invoice.pdf"
Icon spoofing
The executable uses a PDF or Word icon to look like a document. The visual appearance does not match the true file type.
Archive wrapping
The malware is hidden inside a .zip or .rar file, sometimes password-protected to bypass email security scanners.
3 Detailed Analysis
Dangerous file types to watch for
Executables (.exe, .scr, .bat, .cmd, .com, .pif)
These files run code directly on your computer. Never open an executable received by email unless you are absolutely sure of its origin.
Script files (.js, .vbs, .ps1, .wsf)
Scripts can be just as dangerous as executables. A JavaScript (.js) file received by email is almost always malicious -- browsers are not involved.
Office documents with macros (.docm, .xlsm, .pptm)
Macros are mini-programs embedded in Office files. Attackers use them to download and run malware. Be very cautious with any file that asks you to "Enable Content."
Disk images and archives (.iso, .img, .zip, .rar)
These container formats can bypass security filters. An .iso file mounts as a virtual drive, and its contents may include executables that run without the usual browser warnings.
Shortcut files (.lnk)
Windows shortcut files can contain hidden commands. A .lnk file that looks like a document shortcut might actually execute PowerShell commands in the background.
How to check a file safely
Show file extensions
In Windows, go to File Explorer > View > check "File name extensions." This reveals double extensions like .pdf.exe that would otherwise be hidden.
Check the file properties
Right-click the file and check Properties. Look at the "Type of file" field -- it shows the real type regardless of the icon or extension trickery.
Upload to VirusTotal
Before opening any suspicious file, upload it to VirusTotal.com. It scans the file with 70+ antivirus engines and shows you the results in seconds.
Open in a sandbox
If you must open a suspicious file, use a sandbox or virtual machine. This isolates the file so it cannot harm your real system.
Try it on mlab.sh
Got a suspicious file? Upload it safely to check its true file type, compute its hash, and scan it against detection engines -- without risking your own machine.
Check a suspicious file4 Red Flags
Double extension
Any file with two extensions (report.pdf.exe, photo.jpg.scr) is almost certainly malicious. The real extension is the last one.
"Enable Content" or "Enable Macros" prompt
If an Office document asks you to enable macros or content, think twice. Legitimate documents almost never need this. It is the top vector for malware delivery via email.
File size mismatch
A "PDF document" that weighs 5 MB when it should be a simple invoice, or a "photo" that is only 45 KB, suggests the file is not what it claims to be.
Password-protected archive from an unknown sender
Attackers send password-protected ZIPs with the password in the email body. This is done specifically to bypass email security scanners.
Unexpected file type for the context
Receiving an .iso disk image or a .js script file by email is highly unusual for normal business communication. These formats should raise immediate suspicion.
Related Modules
Reading a file analysis report
Deciphering sandbox and antivirus reports: understanding verdicts and key indicators.
What is malware?
Viruses, ransomware, trojans: understanding the different families of malicious software.
Understanding MD5, SHA1, SHA256
Deep dive into hashing algorithms: strengths, weaknesses, and use cases.
Source: mlab Academy — Cybersecurity Awareness Platform
URL: https://academy.mlab.sh//page/malicious-file
Module: Recognizing a malicious file — File Analysis
Disclaimer: This content is for awareness purposes only.