You just downloaded an attachment, or a friend sent you something over chat, and your cursor is hovering over it. Before you double-click, it is worth pausing. A single opened file is one of the most common ways malware gets onto a computer, because the file often looks harmless: an invoice, a photo, a resume, a shipping notice. The good news is that you do not need to be a security analyst to spot the warning signs. A few practical checks, most of which take seconds, will tell you whether a file deserves your trust or your suspicion. This guide walks through exactly what to look for, and how a browser-based analyzer can do the tedious parts for you.
Start by Asking Where the File Came From
Context is your first and cheapest defense. Ask yourself whether you were expecting this file. An invoice from a company you never bought from, a document from a colleague who never sends documents, or a "delivery update" for a package you did not order are all reasons to slow down. Attackers rely on urgency and familiarity, so a message that pressures you to open something right now deserves extra scrutiny, not less.
Even a file from someone you trust can be dangerous if their account was compromised, so where it came from is a signal, not a guarantee. Treat the source as one input among several. The technical checks below matter precisely because a friendly sender name is easy to fake and easy to hijack.
The File Extension Is Your First Clue
The extension is the part of the name after the last dot, and it tells your operating system what to do when you open the file. Some extensions simply display content, like .jpg, .png, or a plain .txt. Others tell the system to run instructions, and those are the ones that turn a careless click into an infection. On Windows, extensions such as .exe, .bat, .cmd, .scr, .pif, .vbs, .js, .ps1, and .msi can execute code directly. A file that ends in one of those is not automatically malicious, but it can act on your machine, so it earns real caution.
The catch is that many systems hide known extensions by default, so a file shown as report might actually be report.exe. Turning on the option to always show file extensions is one of the simplest protective changes you can make. When you can see the real ending, you can judge it.
The Double Extension Trick
One of the oldest and most effective disguises is the double extension. A file named invoice.pdf.exe reads as a PDF at a glance, especially when the final part scrolls out of view or the true extension is hidden. Your eye stops at .pdf and assumes a document, while the operating system reads the last extension, .exe, and prepares to run a program.
Our File Security Analyzer looks specifically for this pattern. It flags a file when it has more than one dot and ends in a dangerous, executable extension such as .exe, .bat, .cmd, .scr, .pif, .js, .vbs, .ps1, or .msi. If you ever see a name that pairs a document-looking part with an executable ending, treat it as hostile until proven otherwise. Legitimate senders almost never ship files that way.
When the Extension Does Not Match the Real File
An extension is just text in the filename, and anyone can rename a file. The more reliable question is: what is this file actually made of? Every common format begins with a short, recognizable signature in its first bytes, sometimes called magic bytes. A real PDF starts with the characters that spell PDF, a PNG image starts with a fixed PNG marker, a ZIP archive starts with the letters PK, and a Windows program starts with the bytes MZ. These markers do not lie the way a renamed extension can.
The analyzer reads those opening bytes to identify the true type of the file, then compares it against the extension in the name. It recognizes common formats including PDF, ZIP, JPEG, PNG, GIF, WebP, RAR and GZIP archives, legacy Office documents, Windows executables, and Linux ELF binaries. It targets these everyday types rather than every possible format, and it reads only a short signature, so a type that appears to match the extension is reassuring rather than a certificate of safety. Read a mismatch as a prompt to look closer rather than a final verdict. Still, when the name says .jpg but the bytes describe a Windows executable, that is a loud red flag worth acting on. A picture pretending to be a program is exactly the kind of trick this check exists to catch.
Documents That Can Run Code: Macros
Office documents feel safe because we open dozens of them a week, but a Word or Excel file can carry small programs called macros. Macros were designed to automate spreadsheets and reports, yet attackers abuse them to download and run malware the moment you enable content. Macros live in the macro-enabled formats, which end in .docm, .xlsm, or .pptm (the plain .docx and .xlsx formats cannot store them), so an unexpected .docm attachment deserves a careful look.
Modern Office files are really ZIP archives with the document parts packed inside. The analyzer looks into that structure for the signature of an embedded macro project. When it finds one, it warns you that the document contains macros. That does not prove the file is malicious, but it does mean the document can run code, so you should only enable it if you fully trust the source and were expecting an interactive document. If a prompt urges you to "enable editing" or "enable content" to see the real information, that pressure is itself a warning sign.
PDFs That Carry More Than Text
Most people assume a PDF is a static page, but the format can embed scripts and actions that fire automatically when the document opens. The analyzer scans a PDF for the markers of embedded JavaScript and for automatic actions, including launch and open-on-load behaviors, that a plain document has no reason to contain.
A PDF that just shows an invoice or a report should not need to run scripts or launch anything. When those elements are present, it does not automatically mean the file is malicious, since some legitimate forms use scripting, but it is a reason to be careful, to keep your PDF reader fully updated, and to avoid opening the file if you cannot vouch for where it came from.
Executables and Installers Deserve Extra Caution
When the underlying bytes reveal a Windows executable or a Linux ELF binary, the file is a program, plain and simple. Programs can do anything your account can do, which is why the analyzer treats a detected executable as the single most serious finding it can report. Installer packages deserve the same caution from you, because they run with elevated intent by design, but note that some installer formats are not always identified as executables by a signature check, so never lean on a low score alone for a file you are about to install.
Sometimes you do want to run a program: you deliberately downloaded an app or a tool. In that case, get it straight from the vendor's official site rather than a random mirror or a link in an email, and confirm the publisher before you run it. If you did not intend to install anything and a file turns out to be an executable, that gap between expectation and reality is your answer. Do not open it.
Verify with a Hash and a Second Opinion
Every file has an effectively unique fingerprint you can compute from its contents, called a hash. Two different files sharing one is so astronomically unlikely that it is treated as impossible in practice. The analyzer calculates the SHA-256 hash of your file so you can do two useful things. First, if a publisher lists an official checksum for a download, you can compare the two values to confirm the file arrived intact and unaltered. Second, the tool builds a link that lets you look that hash up on a reputation service so you can see whether others have already flagged the same file as malicious.
This step is privacy-friendly by design. When you use the reputation lookup, only the hash travels, never the file itself, so you get a second opinion without uploading your document anywhere. If you want to understand more about how the different types of fingerprints work and why they cannot be reversed, our companion guide on hash functions goes deeper. If a hash lookup comes back clean it is reassuring but not proof of safety, since brand-new threats have no history yet, so keep weighing it against the other signals.
Your Before-You-Click Checklist
Put the pieces together and you have a fast routine. Were you expecting the file? Can you see its true extension, and is it a document type rather than an executable one? Does the name hide a second, dangerous extension? Does the real file type match what the name claims? For documents, does it carry macros or scripts it has no reason to include? And does a hash lookup surface anything already known to be bad? If most answers are reassuring, you are probably fine. If several raise a flag, do not open it, and delete it if it was unsolicited.
Judging files is one piece of a wider habit of protecting yourself online. For the bigger picture, including how to lock down your accounts, your data, and your everyday browsing, read our Online Privacy Guide 2026. Safe habits, a healthy dose of skepticism, and a quick technical check together stop the vast majority of file-based attacks before they start.
Try Our Free File Security Analyzer
Instead of running these checks by hand, let the tool do them for you. Our free File Security Analyzer inspects a file's real type from its bytes, spots extension mismatches and hidden double extensions, flags macros in modern Office documents and scripts in PDFs, recognizes executables, and gives you a plain risk score out of 100. Everything runs locally in your browser, so your files never leave your device. Drag a file in and read the findings before you double-click. Just remember it is a first-pass heuristic, not a verdict: a clean or unknown result is not proof of safety, so when the source is untrusted, pair it with a full antivirus and the habits above.