Which File Types Are Safe to Download? A Plain-Language Guide
You've just clicked a download link and your browser is asking whether you really want to keep the file. The warning mentions an extension you half-recognise, maybe .exe, maybe .dmg, maybe .apk. Before you click through, it helps to know what that extension actually means for the file's risk level.
The short version: file type is one signal, not a verdict. A .exe from a publisher you trust is fine; the same .exe emailed to you by a stranger is very much not. Still, some file types are inherently higher-stakes than others, and knowing the shape of each category helps you make a sensible call.
Here's a practical walk-through of the file types you're most likely to encounter, what each one can actually do, and when it's worth running through a file scanner before you open it.
How to think about file-type risk
Three questions decide most of it:
- Can this file execute code? Executables and scripts can do whatever your user account can do, which on a home computer is usually quite a lot.
- Can this file hide another file inside it? Archives, disk images, and installers are containers. The risk lives in what's inside, not the wrapper.
- Is this format a known malware carrier? Some formats have a long history of being abused because they combine "looks innocent" with "can do something dangerous."
Every extension below maps to some combination of those three. Let's walk through them.
High-risk: direct executables
.exe, .msi, .bat, .cmd, .com, .scr, .ps1, .vbs, .js (Windows)
What they do: Run code directly on your computer. A double-click is enough.
When they're fine: You're installing software from a known publisher, Windows shows a recognisable signature, and you expected to download it.
When to worry: Anywhere else, email attachments, unexpected downloads, files on a site that's impersonating a brand, files renamed from another format.
Every piece of Windows software you've ever installed is either a .exe or arrives inside a .msi installer, so these extensions are not inherently evil, they're the normal delivery format for software. The question is always who is behind the particular file and whether you asked for it.
.bat, .cmd, .ps1, and .vbs are script files: plain text instructions that Windows executes. They're especially dangerous because they're easy to write, easy to modify, and can be delivered as tiny files that look harmless until you open them. .scr is a screensaver format that's really just an executable in disguise, and it shows up in phishing attachments far more often than in legitimate screensavers.
.app, .pkg, .dmg (macOS)
macOS equivalents. .app bundles are applications. .pkg files are installer packages that run with elevated privileges. .dmg is a disk image that usually contains an .app. Modern macOS requires Apple's notarisation for apps to run without warnings, and Gatekeeper blocks unsigned code by default, but users can and do override those warnings, which is where most Mac malware sneaks in.
.apk (Android)
The standard Android install format. If you're downloading an .apk from outside the Google Play Store, Android calls this "sideloading" and warns you for good reason, you're bypassing the store's review process. Some legitimate apps are only distributed this way, but it's also the primary delivery format for Android malware. If you're asked to install an .apk to "track a parcel," "view a police notice," or "get a refund," close the browser.
.elf, .sh (Linux)
ELF binaries and shell scripts. Most home users won't encounter these, but if you run a Linux server or a Raspberry Pi, a stray .elf from /tmp/ is often the first sign of a botnet infection.
High-risk: macro-enabled documents
.docm, .xlsm, .pptm (and older .doc / .xls)
What they do: Office documents that contain macros, small programs written in VBA that run inside Word, Excel, or PowerPoint.
When they're fine: Internal business templates, trusted vendor workbooks, and automation macros you've reviewed.
When to worry: Any macro-enabled document from an external sender, especially ones that open with "Enable Content" prompts and promise invoices, resumes, or delivery confirmations.
Macros are still one of the most reliable ways malware reaches a corporate network. Microsoft has spent years tightening the defaults, recent versions of Office block macros from internet-sourced files by default, but attackers respond with new tricks: ZIPping the file, embedding it in an ISO, or socially engineering the user to click through the warning. Treat every unexpected .docm, .xlsm, or .pptm as suspicious.
.doc and .xls (the older formats without the "m") can also contain macros even though the extension doesn't show it. That's why modern Office formats split them into .docx/.docm, the "m" advertises that macros are present.
Medium-risk: documents that can embed active content
What it does: Portable Document Format. Usually text, images, and layout. Can also embed JavaScript, launch-actions, forms that post to external URLs, and exploits targeting old reader bugs.
When to worry: Unexpected PDFs that prompt you to "enable features," PDFs containing only a button that opens a URL, PDFs from senders you can't verify.
PDFs were the go-to malware carrier a decade ago when Adobe Reader had a steady stream of exploits. Modern readers, including the built-in viewers in Chrome, Edge, and Safari, run PDFs in heavily sandboxed environments, so exploit-based PDF malware is much rarer than it used to be. What's still common is phishing PDFs: a document that looks like an invoice but is really a giant clickable button pointing to a credential-harvesting page. Treat a PDF link the same way you'd treat any other link, check where it leads before you tap through.
.docx, .xlsx, .pptx (no macros)
The macro-free Office formats are generally fine. They're structured XML inside a ZIP, and while there are edge cases involving external references and remote template loading, the everyday risk is much lower than the macro-enabled versions. Still, open unexpected ones in Protected View (the default) and don't click "Enable Editing" unless you trust the sender.
Medium-risk: containers and disk images
.zip, .rar, .7z, .tar, .gz
What they do: Compress one or more files into a single archive. Safe or dangerous depending entirely on what's inside.
When to worry: Password-protected archives from external senders, archives containing executables or scripts, and archives whose only purpose seems to be hiding something from email filters.
Archives are wrappers, nothing more. The risk belongs to the contents. A common malware pattern is a password-protected .zip where the password is supplied in the email body, this is specifically designed to prevent scanners from seeing inside. If you receive one, that's a strong signal to stop and investigate.
.iso, .img, .dmg, .vhd
Disk images are full filesystems in a single file. On Windows 10 and later, a double-click mounts the image as a drive and exposes its contents, including executables that can bypass the "mark of the web" (the metadata Windows uses to warn about files from the internet). Malware authors love this trick. An unexpected .iso attachment is a strong signal of phishing, especially when it contains a small .lnk shortcut or .exe.
Low-risk: media and data files
.jpg, .png, .gif, .webp, .mp3, .mp4, .mov, .txt, .csv
What they do: Images, audio, video, and plain text. No code execution in any common scenario.
When to worry: When the extension is a lie, a file called invoice.pdf.exe or photo.jpg.scr where the real extension is hidden by a long filename.
Plain media files are genuinely low-risk. Historic exploits against image and audio decoders exist, but modern operating systems patch them quickly and most users aren't running ancient vulnerable libraries. The main thing to watch for is extension disguise: Windows hides known extensions by default, so holiday-photo.jpg.exe might display as holiday-photo.jpg with an Explorer icon that looks like an image. If you enable "show file name extensions" in File Explorer, this trick stops working.
Quick reference table
| Extension | Risk | When to scan |
|---|---|---|
| .exe, .msi, .bat, .ps1, .scr, .vbs | High | Always, unless from a trusted publisher you expected |
| .apk, .app, .pkg, .dmg | High | Always when sideloaded or from an unfamiliar source |
| .docm, .xlsm, .pptm, .doc, .xls | High | Always from external senders |
| Medium | When unexpected or from an unverified sender | |
| .zip, .rar, .7z | Medium | Always from external senders, especially if password-protected |
| .iso, .img, .vhd | Medium-High | Nearly always, rare in legitimate email |
| .docx, .xlsx, .pptx | Low-Medium | Only if sender is unverified |
| .jpg, .png, .mp4, .mp3, .txt, .csv | Low | Only if the file behaves strangely or won't open |
How ScanTotal helps
Our File Scanner hashes any file in your browser and checks the hash against a curated list of known malware signatures, without the file ever leaving your device. That's the fastest way to confirm whether a specific download matches a previously-identified threat. For deeper analysis, you can also paste the download URL into our URL Scanner, it checks reputation databases, runs heuristics, and probes the URL to see what it actually serves, which often catches malware that's too fresh to be in any hash database.
If you'd like a step-by-step walkthrough of the scanning process, see Is This File Safe? How to Check Any Download for Malware.
The practical rule
You don't need to memorise every extension. You need two habits:
- Match the file to the context. A
.pdffrom your accountant is different from a.pdfattached to a "your parcel is delayed" email. Expected sender, expected format, expected reason, that combination is the signal. - Scan anything you're unsure about. File scanners take seconds. It costs nothing to check, and the one time it catches something will pay for every prior "better safe than sorry" scan.
Extensions aren't verdicts. They're invitations to think about what a file can do and whether the current sender has a good reason to send it.
Not sure about a file you just downloaded?
Drop it into our File Scanner, it hashes the file locally and checks against known malware signatures.
Scan a File Now, Free