Back to Blog
File Safety

How to Spot a Malicious File Before You Open It

From double extensions to macro-laced Office documents, attackers use predictable tricks to disguise malware. Learn the red flags to check before opening any file.

EEmil Gheonea8 February 20266 min read

The File You Almost Opened

You receive an email: "Invoice_March2026.pdf". You go to open it and notice the icon looks slightly off. On closer inspection the filename is actually Invoice_March2026.pdf.exe. You just narrowly avoided running a malware dropper.

This is one of dozens of tricks attackers use to make malicious files look safe. Here is what to look for.

1. Double Extensions

Windows hides known file extensions by default. Attackers exploit this:

  • Resume.docx.exe → displayed as Resume.docx
  • photo.jpg.vbs → displayed as photo.jpg

Fix: Enable "show file extensions" in Windows Explorer (View → File name extensions). Never open a file whose full extension you cannot see.

2. Office Documents With Macros

.docm, .xlsm, and .pptm files can contain macros — small programs that run when you open the document. Most ransomware and banking trojans in recent years have been distributed via malicious macros.

Red flag: Any document that asks you to "Enable Content" or "Enable Macros" when you open it.

Fix: Never enable macros unless you created the document yourself and understand what the macro does.

3. Suspiciously Large (or Small) Files

A PDF that is 2 KB is almost certainly not a real document. A 50 MB "text file" almost certainly contains hidden data. File size that does not match the supposed content type is a signal worth investigating.

4. Mismatched Icons

Attackers use legitimate-looking icons to disguise malware. A file with a PDF icon but an .exe extension is a classic tactic. Look at the extension, not the icon.

5. Files Received Unexpectedly

Genuinely safe files are usually expected. If you receive an attachment you did not ask for — especially from a contact you rarely communicate with — treat it as suspicious regardless of its appearance.

6. Password-Protected ZIPs

Malicious files are increasingly delivered inside password-protected ZIP archives. The password is provided in the email body. This defeats many email gateway scanners. The contents inside are not scanned because they are encrypted.

If you receive a ZIP with a password in the email — be very sceptical.

What to Do With a Suspicious File

  1. Do not open it on your main machine.
  2. Check the file hash on VirusTotal (virustotal.com) — without uploading sensitive files.
  3. Scan it with an antivirus tool like Virus Purge before opening.
  4. Open in a sandboxed environment (e.g. Any.run or an isolated virtual machine) if you must inspect it.

The Golden Rule

If you did not ask for a file and you are not 100% certain what it is — scan it before opening it. An online scanner takes seconds. Recovering from ransomware takes days or weeks.

E

Emil Gheonea

Software Developer & Security Enthusiast

Full-stack developer with a focus on cybersecurity tooling and infrastructure. I built VirusPurge to make fast, private file scanning accessible to everyone — and I write about security topics to keep the knowledge sharp.

Connect on LinkedIn

Related reads

Cyber Hygiene6 min

Why Regular Virus Scans Still Matter in 2026

Read article
Phishing8 min

The Most Common Phishing Tactics in 2026

Read article
Back to all articles