Spotting Malware: How File Extensions and Security Are Linked - Colin Mackay

How attackers abuse file extensions to disguise malware, and what you can do to spot the tricks.

Last updated: 16 April 2026

Extensions as Attack Surface

File extensions are supposed to tell you what a file is. Malware authors know this and exploit the gap between what an extension promises and what the file actually does. Understanding their techniques helps you recognise threats before you execute them.

Double Extension Trick

The most common technique is the double extension. A file named invoice.pdf.exe looks like a PDF because Windows hides known extensions by default. The user sees "invoice.pdf" and opens it, but the operating system runs it as an executable.

Variations include:

  • photo.jpg.scr — Appears as an image, runs as a screensaver (executable)
  • document.docx.js — Appears as a Word document, runs as JavaScript
  • report.pdf.bat — Appears as a PDF, runs as a batch script

Defence: Always enable "Show file extensions" in your operating system settings. See the actual extension before deciding to open.

Right-to-Left Override (RTLO)

Unicode includes a special character (U+202E) that reverses the display direction of subsequent text. Attackers embed this character in filenames to make the extension appear different from what it is.

For example, a file might be named:

report[U+202E]fdp.exe

Which displays as: reportexe.pdf

The actual extension is still .exe, but the displayed text suggests it is a PDF. This is sophisticated and difficult to spot visually.

Defence: Be suspicious of unusual filename patterns. Check file properties to see the true filename. Modern antivirus software flags RTLO characters in filenames.

Icon Spoofing

Attackers can set a custom icon on an executable file to make it look like a document, image, or folder. An .exe file with a PDF icon is visually identical to a real PDF in File Explorer unless you check the file type column or properties.

Defence: View files in "Details" mode in File Explorer so you can see the "Type" column. Never rely solely on the icon to determine file type.

Malware Hidden in Archives

Password-protected ZIP or RAR files prevent antivirus software from scanning the contents. Phishing emails often include a password-protected archive with the password in the email body, bypassing email security filters entirely.

Common patterns:

  • Email says "Your invoice is attached. Password: 1234"
  • Archive contains an .exe or .js file, not the expected document
  • Some archives contain a folder structure that obscures the executable's location

Defence: Treat password-protected archives from unknown senders with extreme suspicion. Inspect the archive contents before extracting or running anything.

Malicious Office Macros

Microsoft Office documents (.doc, .xls, .docm, .xlsm) can contain macros — embedded code that runs when the document opens. Macro malware was one of the most prolific attack vectors for years.

Microsoft now blocks macros by default in files downloaded from the internet (since 2022). This significantly reduced the threat, but attackers have adapted:

  • Instructing users to "Enable Content" or copy the file to a trusted location
  • Switching to other file types like .iso, .lnk, or OneNote files

Defence: Never click "Enable Content" or "Enable Macros" on a document from an external source. If a document claims to require macros to display correctly, it is almost certainly malicious.

Shortcut (.lnk) Exploits

Windows shortcut files can execute commands with arguments. A .lnk file can run PowerShell scripts, download additional payloads, or execute any program on the system. Because shortcuts display the icon of their target, they can appear to be documents or folders.

Defence: Be cautious of .lnk files received via email or downloaded from the web. Legitimate software distributors do not distribute .lnk files.

Quick Security Checklist

  1. Enable file extension visibility in your OS
  2. Use "Details" view in file browsers to see file type information
  3. Never enable macros in documents from external sources
  4. Scan downloads with up-to-date antivirus before opening
  5. Check digital signatures on executables
  6. Be suspicious of password-protected archives from unknown senders
  7. Hover over links to verify the actual URL before downloading
  8. Keep your operating system and applications updated

Frequently Asked Questions

Can a .txt file be malware?

A genuine .txt file cannot execute code. However, a file named readme.txt.exe with hidden extensions will appear to be a text file while actually being an executable.

Are macOS and Linux immune to these tricks?

No. While some tricks (like .exe files) are Windows-specific, macOS and Linux have their own executable types. macOS .app bundles can be disguised, and shell scripts (.sh) on Linux can be given misleading names. The principles are the same across platforms.

Does antivirus catch all of these?

Antivirus catches many known threats but cannot catch everything, especially zero-day malware. Defence in depth — combining awareness, OS settings, and security software — provides much better protection than any single measure.