A colleague forwarded me an email last year with an attachment called "invoice_march.pdf." Looked completely normal. Except when I checked the actual file extension, it was invoice_march.pdf.exe, an executable masquerading as a PDF. If she'd double-clicked it without checking, it would have run malware on her machine. She's a smart person. The file just looked innocent.
Malicious files are one of the primary ways cybercriminals deliver malware, ransomware, and spyware. A single infected file can compromise your entire system, encrypt your documents for ransom, or silently steal your passwords and financial information in the background. The Australian Cyber Security Centre (ACSC) consistently ranks malicious email attachments as one of the top threats facing Australian businesses and individuals.
In this guide, I'll explain how to check if a file is safe before opening it, which file types are most dangerous, and how file hash scanning works to detect known malware.
How to Check If a File Is Safe
There are several layers of defence you can use before opening any file. Here they are, from simplest to most thorough.
1. Check the Source
Where did the file come from? Files from official app stores, well-known software websites, and trusted colleagues are generally safe. Files from unknown email senders, random websites, pop-up download prompts, or peer-to-peer networks carry significantly higher risk. If you weren't expecting a file, be suspicious regardless of who apparently sent it, their account may have been compromised. Learn more about spotting phishing emails with malicious attachments.
2. Check the File Extension
The file extension tells you what type of file it is and how risky it might be. Some file types are far more dangerous than others because they can execute code on your computer.
.bat, .cmd, .ps1, Script files that run commands automatically.
.js, .vbs, .wsf, Script files often used by malware droppers.
.scr, Screensaver files (actually executables in disguise).
.docm, .xlsm, .pptm, Office files with macros (the "m" means macros enabled).
.zip, .rar, .7z, Archives can hide any file type inside, including malware.
.mp3, .mp4, .wav, Audio/video files (generally safe).
.txt, .csv, Plain text files (cannot execute code).
.pdf, Generally safe, but can contain malicious links or exploits.
.docx, .xlsx, Office files without macros (lower risk but check source).
Important: Be aware of double extensions. A file named "invoice.pdf.exe" is not a PDF, it's an executable. Windows hides known extensions by default, so "invoice.pdf.exe" might appear as just "invoice.pdf" with an executable icon. This is what frustrates me most about Windows security defaults, hiding file extensions is a decision that actively helps malware authors disguise their payloads, and it's been the default setting for decades despite every security professional on the planet wanting it changed. Enable file extension visibility in Windows File Explorer settings immediately to see the full filename. Seriously, do it right now.
3. Scan It with a File Scanner
The most reliable method is to scan the file before opening it. ScanTotal's File Scanner computes the file's SHA-256 hash (a unique digital fingerprint) entirely in your browser and checks it against databases of known malware. Your file never leaves your computer, only the hash is checked, preserving your privacy.
4. Check the File's Hash Manually
If you have a file hash (SHA-256, MD5, or SHA-1) from a software vendor, you can verify that the file you downloaded hasn't been tampered with. Legitimate software publishers often list file hashes on their download pages so you can confirm the file is authentic.
On Windows, open PowerShell and run: Get-FileHash filename.exe. On macOS or Linux, use: shasum -a 256 filename. Then compare the output to the hash listed on the vendor's website. If they match, the file is authentic.
You can also paste any hash directly into ScanTotal's Threat Search to check if it's associated with known malware.
What Is a File Hash and How Does It Detect Malware?
A file hash is a unique fingerprint generated by running a file through a mathematical algorithm like SHA-256. Every unique file produces a different hash, even changing a single byte in the file creates a completely different hash value. This makes hashes incredibly useful for identifying files.
Security researchers around the world continuously analyse malware samples and catalogue their hashes in threat intelligence databases like MalwareBazaar, ThreatFox, and others. When you scan a file, the scanner computes its hash and checks it against these databases. If there's a match, you know the file is a known malware sample.
For example, the EICAR test file (a harmless file used to test antivirus software) has the SHA-256 hash: 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f. Any scanner that recognises this hash will flag it immediately.
Common Ways Malicious Files Reach You
Email attachments remain the most common delivery method. Invoices, shipping notifications, resumes, and "urgent documents" are popular disguises. The attachment might be a macro-enabled document, a disguised executable, or an archive containing malware.
Fake software downloads appear when searching for popular free software. Scammers create convincing copycat websites that serve infected versions of legitimate programs. Always download software from the official vendor's website.
Drive-by downloads happen when visiting a compromised or malicious website triggers an automatic download without your explicit consent. This is why keeping your browser and operating system updated is critical.
Social media and messaging links to shared files on cloud storage platforms can lead to malicious downloads. Be cautious about files shared in group chats, forums, or social media messages, especially from people you don't know.
What to Do If You Opened a Malicious File
If you've already opened a suspicious file, act quickly. Disconnect from the internet to prevent the malware from communicating with its command server or spreading to other devices on your network. Run a full system scan with your antivirus software. Change passwords for your important accounts from a different, uninfected device. Monitor your bank accounts and credit report for unusual activity. If you're on a work computer, contact your IT department immediately. Don't wait.
For ransomware specifically (if your files have been encrypted), do not pay the ransom. Contact law enforcement and check the No More Ransom project (nomoreransom.org) for free decryption tools.
What I'd Tell You to Do Right Now
Go into your Windows File Explorer settings and turn on file extension visibility, that one change alone would have saved my colleague from that disguised .exe file. Then, next time you download anything from an email or a website you're not 100% sure about, drag it into our file scanner before you open it. It takes five seconds and the file never leaves your browser. I scan every attachment that comes from an address I don't recognise, and the one time I found something malicious it was a .docm file pretending to be a delivery receipt from a supplier we'd never used. Five seconds of checking versus potentially days of recovery. Easy decision.