Tutorial File types that are usually suspicious!

So, which type of files we have to pay attention in particular? I will make a simple list of file types but please guys, we are a community, contribute to this thread by posting your list!

  • All email attachments (yes, when you find an email in your spam box it is very recommended to NOT click on any link and NOT download any attachments, because they are often malware).
  • Double extension files (e.g. .pdf.exe)
  • Script files (e.g. .js, .jse, .vbs, etc. They can work as downloader for ransomware, etc.)
  • Scr files.
  • Documents (.xls, .docx, .rtf usually used for macro malware and exploit)
  • .exe (maybe the most obvious)
  • BAT
  • Powershell files
  • .reg files
Thanks guys for reading :)
 

plat1098

Level 24
Verified
Sep 13, 2018
1,328
Nice refresher. :emoji_ok_hand: Here is where NVT SysHardener can maybe help you out, especially for those like me who aren't into scrupulously reviewing everything first.

syshardener.PNG
 

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,872
The list from RunBySmartScreen:
ACCDA, ACCDE, ACCDR, ACCDT, ACM, AD, ADE, ADN, ADP, AIR, APP, APPLICATION, APPREF-MS, ARC, ASA, ASP, ASPX, ASX, AX, BAS, BAT, BZ, BZ2, CAB, CDB, CER, CFG, CHI, CHM, CLA, CLASS, CLB, CMD, CNT, CNV, COMMAND, CPL, CPX, CRAZY, CRT, CRX, CSH, CSV, DB, DCR, DER, DESKLINK, DESKTOP, DIAGCAB, DIF, DIR, DLL, DMG, DOCB, DOCM, DOT, DOTM, DOTX, DQY, DRV, FON, FXP, GADGET, GLK, GRP, GZ, HEX, HLP, HPJ, HQX, HTA, HTC, HTM, HTT, IE, IME, INF, INI, INS, IQY, ISP, ITS, JAR, JNLP, JOB, JS, JSE, KSH, LACCDB, LDB, LIBRARY-MS, LOCAL, LZH, MAD, MAF, MAG, MAM, MANIFEST, MAPIMAIL, MAQ, MAR, MAS, MAT, MAU, MAV, MAW, MAY, MCF, MDA, MDB, MDE, MDF, MDN, MDT, MDW, MDZ, MHT, MHTML, MMC, MOF, MSC, MSH, MSH1, MSH1XML, MSH2, MSH2XML, MSHXML, MSP, MST, MSU, MUI, MYDOCS, NLS, NSH, OCX, ODS, OPS, OQY, OSD, PCD, PERL, PI, PIF, PKG, PL, PLG, POT, POTM, POTX, PPAM, PPS, PPSM, PPSX, PPTM, PRF, PRG, PRINTEREXPORT, PRN, PS1, PS1XML, PS2, PS2XML, PSC1, PSC2, PSD1, PSDM1, PST, PSTREG, PXD, PY, PY3, PYC, PYD, PYDE, PYI, PYO, PYP, PYT, PYW, PYWZ, PYX, PYZ, PYZW, RB, REG, RPY, RQY, RTF, SCT, SEA, SEARCH-MS, SEARCHCONNECTOR-MS, SETTINGCONTENT-MS, SHB, SHS, SIT, SLDM, SLDX, SLK, SPL, STM, SWF, SYS, TAR, TAZ, TERM, TERMINAL, TGZ, THEME, TLB, TMP, TOOL, TSP, URL, VB, VBE, VBP, VBS, VSMACROS, VSS, VST, VSW, VXD, WAS, WBK, WEBLOC, WEBPNP, WEBSITE, WS, WSC, WSF, WSH, XBAP, XLA, XLAM, XLB, XLC, XLD, XLL, XLM, XLSB, XLSM, XLT, XLTM, XLTX, XLW, XML, XNK, XPI, XPS, Z, ZFSENDTOTARGET, ZLO, ZOO

Also EXE, COM, MSI, SCR can be dangerous, but they can be checked by SmartScreen (if downloaded from the Internet by the web browser).
The popular document extensions (DOC, DOCX, XLS, XLSX, PUB, PPT, PPTX, ACCDB, PDF) can be very dangerous when opened by MS Office or Adobe Acrobat Reader applications.
If they are downloaded by the web browser, then MS Office 2010+ applications open those documents in 'Protected View' mode.
The archived files (ZIP, 7Z, ARJ, RAR, ZIPX) can be dangerous, because unarchived files usually lose the 'Mark Of The Web', which can inform applications and SmartScreen, that those files are from the Internet.
 
Last edited:
Top