How to Check Files for Malware: Traits and Identification

Malicious files are a common threat in the digital world, often disguised as legitimate documents, applications, or other seemingly harmless files. Identifying these files can be challenging and opening them without proper caution may lead to serious consequences, including data breaches or system compromises.

To avoid such risks, it is important to recognize common traits of potentially harmful files and learn how to examine them without exposing your device to malware. 

Let’s break it down and learn how to spot red flags before it’s too late.

Traits of Malicious Files You Should be Aware of

Malware often masquerades as legitimate files, tricking unsuspecting users into downloading or opening them. While cybercriminals are crafty, certain traits can help you spot malicious files:

1. Mismatched file extensions: For instance, an .exe file with a name like “Invoice.doc.exe” might pretend to be a Word document but is executable.
2. Password-protected archives: Archives, especially password-protected ones, often contain malicious payloads to bypass email and antivirus scans.
3. Unusually large file sizes: A file that claims to be a simple document or image but has an unusually large size might include hidden malicious code.
4. Suspicious senders or messages: Attachments sent in generic or unexpected emails, like “Your invoice” or “Important update,” should raise red flags.
5. Double extensions: Files with double extensions like “file.pdf.exe” or “image.jpg.scr” are often designed to confuse users into thinking they are safe.
6. Unusual permissions requests: Files that ask for administrative rights or access to sensitive directories upon execution should be viewed with suspicion.
7. Obfuscated file names: Files with gibberish or random strings of letters and numbers (e.g., “A1B2C3D4.exe”) are often used to avoid detection by users or automated systems.
8. Executable files in non-executable formats: For example, an .exe file compressed into a .zip or .rar archive can indicate malicious intent.
9. Files sent in mass emails: Attachments included in emails that are part of mass campaigns, often with generic subjects, are common carriers of malware.
10. Uncommon file locations: Files stored in obscure directories, such as hidden folders or temporary system files, can be suspicious. For example, a document saved in C:\Windows\System32 may indicate malicious intent.

Identifying Suspicious Files Safer and Faster

Above, we outlined 10 tips to help you determine whether a file is safe to open or potentially harmful. However, cyber attackers have become increasingly sophisticated, creating files that are difficult to detect through visual inspection alone. These files are often crafted to appear legitimate, making it challenging to decide whether they are safe.

In such cases, it is safer to analyze suspicious files in a controlled environment, such as ANY.RUN’s interactive sandbox. Here, you can upload the file and observe its behavior without putting your system, files, or sensitive data at risk.

The sandbox provides a quick way to evaluate potential threats. After running a file, ANY.RUN highlights its activity, indicating whether it is malicious or benign.

If the upper-right corner shows a red “Malicious Activity” label, it’s a clear sign that the file is dangerous and should never be opened on your system. This approach ensures you can identify risks effectively without compromising security.

Let’s take a closer look at one of the more challenging types of cyberattacks: targeted phishing or spearphishing. These attacks are particularly difficult to detect because they are personalized, often mimicking someone familiar, like a colleague, or imitating legitimate organizations. 

Attackers use professional-looking emails that resemble official correspondence from trusted entities like banks, postal services, or manufacturers to appear convincing.

Analyze cyber threats with ANY.RUN’s sandbox! Get 3 free ANY.RUN licenses this Black Friday!

In our sandbox session, the message claims that the sender has transferred a specific amount of money and asks the recipient to verify an attached archive, which supposedly contains an invoice. This scenario is common in phishing campaigns, designed to pressure the recipient into opening the attachment without second-guessing.

Thanks to ANY.RUN’s interactivity, we can safely download the attachment and analyze it within the sandbox without any risk to our system.

The Downloaded Archive

Upon inspection, the attached file is a .zip archive. Once extracted in the sandbox, we find a file named “STATEMENT OF ACCOUNT”—a typical strategy used by attackers to give malicious files a legitimate appearance.

However, a deeper look reveals that the file is an executable (e.g., “STATEMENT OF ACCOUNT.exe”), which is unusual for business correspondence. In most cases, legitimate invoices or financial documents are shared as PDFs or Word files, not executables. This mismatch is a significant red flag.

After launching the sandbox analysis, the service instantly flags malicious activity and identifies the system as being infected with Agent Tesla, a notorious malware family. Agent Tesla is widely used by cybercriminals to steal sensitive information, such as credentials, keystrokes, and clipboard data, and to monitor the victim’s activities.

In conclusion, ANY.RUN lets you analyze suspicious emails, files, and URLs to uncover potential cyberattacks quickly and efficiently. With Automated Interactivity, the service takes care of the analysis steps for you, delivering concise and actionable insights into the threat.