You receive an email with an attachment named invoice.pdf. It looks harmless, so you double-click it, and a moment later your files are being encrypted. The problem was never the invoice; it was the file type hiding behind a familiar-looking name. Not every file is equally dangerous. Some files are just data that a program reads, while others are instructions your computer will run the instant you open them. Knowing which is which, and knowing how attackers blur the line between them, is one of the most practical security skills you can build. This guide walks through the file types that commonly carry malware, the tricks used to disguise them, and how to check any file before you decide to trust it.
What Makes a File Type Dangerous
A file extension is just a label at the end of a name, like .pdf or .exe. Your operating system uses that label to decide which program should open the file. The danger is not the label itself but what the system does with it. Data files, such as images, plain text, or spreadsheets, are handed to a program that reads their contents. Executable and active-content files are different: when you open them, the operating system runs the code inside them with your own user privileges. That single distinction, whether a file is read or run, is what separates a boring document from a potential infection.
Attackers exploit two facts. First, most people judge a file by its icon and the visible part of its name, not by what it actually is. Second, the true nature of a file lives in its bytes, not in its extension. You can rename a program to end in .jpg and it is still a program. The rest of this guide follows the categories that carry the most risk, roughly in the order you are likely to meet them.
Executables: Code That Runs the Moment You Open It
Executables are the most direct threat because they are, by definition, programs. On Windows the usual suspects are .exe, .com, .scr, .dll, .sys, and installer formats like .msi. On Linux they are ELF binaries, often with no extension at all or a generic one like .bin. A particularly sneaky example is the .scr screensaver: it is nothing more than a regular Windows executable with a different extension, which is why screensaver attachments have been a malware favorite for years.
The reassuring part is that executables are easy to identify from their content, no matter what the file is called. Windows programs begin with the two bytes MZ (a Portable Executable header), and Linux binaries begin with the ELF signature. Our File Security Analyzer reads the first bytes of a file, its so-called magic bytes, and flags Windows PE and Linux ELF executables even when someone has renamed the file to look like a photo or a document. If a file that claims to be an image turns out to start with an executable header, that mismatch is a loud warning sign.
Script Files: Plain Text That Behaves Like a Program
Scripts blur the line between data and code. Files ending in .bat, .cmd, .ps1 (PowerShell), .vbs (VBScript), .js (Windows Script Host), .wsf, and .hta are readable text, but when you double-click them the operating system hands them to an interpreter that executes their commands. A short script can quietly download a second payload, disable defenses, or copy your data, all without shipping an obvious binary.
JavaScript deserves a special note because it confuses people. In a web browser, JavaScript runs inside a strict sandbox and cannot touch your files. A .js file saved to disk and double-clicked on Windows is a completely different story: it runs through Windows Script Host with your full privileges. The same code, wildly different risk. That is why script extensions belong on your watch list, and why our analyzer treats them as high-risk when they show up as the final part of a disguised filename, which is the trick we cover shortly.
Office Documents and the Macro Trap
Word, Excel, and PowerPoint files can contain macros, which are small programs written in VBA (Visual Basic for Applications) and embedded inside the document. Macros exist for legitimate automation, but they are also a classic delivery method for malware. The attack pattern is familiar: a document arrives, opens with a blurred preview, and shows a yellow banner asking you to Enable Content or Enable Editing. Click it, and the macro runs.
Macro-enabled formats such as .docm, .xlsm, and .pptm advertise their capability in the extension, but ordinary-looking documents can carry them too. Under the hood, a modern Office file is actually a ZIP archive of XML parts. Our File Security Analyzer opens that archive and looks for a vbaProject.bin entry, the tell-tale sign that VBA macros are present, and flags any document that contains them. The safest default is to keep macros disabled and only enable them for files you fully trust and were expecting.
PDFs Can Do More Than Display Text
Most people treat PDFs as harmless printouts, but the format is far more capable than that. A PDF can embed JavaScript, define actions that fire automatically when the document opens, and even try to launch external programs. In the raw file these appear as markers like /JavaScript, /JS, /OpenAction, /AA (additional actions), and /Launch. Not every PDF that contains a script is malicious, but embedded code in a document you did not expect is a strong reason to be cautious.
Our analyzer scans the opening region of the PDF for exactly those markers and flags files that contain embedded JavaScript or automatic launch actions, so you can spot an active document before you open it in a reader. It reads the start of the file rather than every byte, so treat a clean result as reassuring rather than absolute, especially for very large PDFs. As a habit, previewing PDFs in your browser, which runs them in a hardened sandbox, is safer than opening unknown files in a full desktop application.
Archives: The Wrapper That Hides the Payload
Archives like .zip, .rar, .7z, and .gz are not dangerous on their own, but they are the favorite wrapping paper for things that are. Compressing an executable into an archive helps it slip past filters that only inspect the top layer, and password-protecting the archive stops many scanners from reading the contents at all. If an email asks you to open an attachment and use the password in the message body, treat that as a red flag rather than a courtesy.
Our File Security Analyzer identifies common archive containers such as ZIP, RAR, and GZIP by their magic bytes, so you can confirm a ZIP is really a ZIP, but be honest about its limits: some formats like 7z are not fingerprinted, and it does not unpack nested archives for you. After extracting an archive, scan the files inside it individually before running or opening anything.
The Double-Extension Trick: invoice.pdf.exe
This is the disguise that catches even careful people. Windows hides known file extensions by default, so a file named invoice.pdf.exe is displayed as invoice.pdf, often paired with a document-style icon that the attacker chose on purpose. You think you are opening a PDF. You are actually launching a program, because the real extension, the last one, is .exe.
Our analyzer flags a suspicious double extension whenever the final part of a name is a known dangerous program type, including .exe, .bat, .cmd, .scr, .pif, .js, .vbs, .ps1, and .msi. The single best defense on your own machine is to turn off the setting that hides known extensions, so invoice.pdf.exe always looks like what it truly is.
Shortcuts, HTML, and Disk Images
A few less obvious file types round out the list. A Windows shortcut, the .lnk file, can point at a command line that runs a script or downloads malware, all while showing an innocent icon. HTML and SVG files can contain scripts and convincing phishing forms that run the moment you open them in a browser. Disk images such as .iso, .img, and .dmg mount as a virtual drive and have been used to smuggle executables past security warnings that normally attach to downloaded files.
These formats do not share a standard document signature, so when you run one through our analyzer it will report an unrecognized or unknown file type. That is not a bug; an unknown result is itself a reason to slow down and ask why a stranger sent you a file your tools cannot confidently identify.
How to Check a File Before You Open It
You do not need to be a malware analyst to protect yourself. A short, repeatable routine handles the vast majority of risky files. Turn on the option to always show file extensions, so nothing can hide its real type from you. Never trust the icon alone; icons are trivial to fake. Be especially skeptical of unexpected attachments, even when they appear to come from someone you know, since a compromised account will send real mail to real contacts.
When a file matters, verify what it actually is rather than what it claims to be. Compare the extension against the file's true type, check for double extensions, and keep Office macros disabled by default. For anything you are unsure about, take its SHA-256 hash and look it up on a reputation service like VirusTotal before you run it. Security is layered, and file hygiene is only one layer. Strong, unique credentials limit the damage if something does slip through, which our Guide to Generating Secure Passwords covers in detail. For a wider view of protecting your accounts and data, read our Online Privacy Guide 2026.
Try Our Free File Security Analyzer
Want a fast, private way to inspect a suspicious file? Our free File Security Analyzer reads a file's magic bytes to detect its true type, warns you when the extension does not match, catches double extensions, identifies Windows and Linux executables, checks modern (ZIP-based) Office documents for VBA macros, scans PDFs for embedded JavaScript and auto-launch actions, and computes the SHA-256 hash so you can look it up on VirusTotal. Everything runs directly in your browser, so the file itself never leaves your device. It is the quickest way to answer the only question that matters before you double-click: is this file data, or is it code?