Safe Downloading: File Extensions to Watch Out For - Colin Mackay

A practical guide to identifying risky file extensions and staying safe when downloading files from the internet.

Last updated: 14 April 2026

Downloads Carry Risk

Every file you download from the internet is a potential entry point for malware, ransomware, or unwanted software. The file extension is your first line of defence — it tells you what type of file you are dealing with and whether it can execute code on your system.

This guide covers which extensions are dangerous, which are relatively safe, and how to evaluate a download before opening it.

High-Risk Extensions: Can Execute Code

These file types can run programs on your computer. Treat every one of them with caution, particularly when downloaded from untrusted sources.

Windows Executables

  • .exe — Standard Windows program. This is the most common malware delivery vehicle.
  • .msi — Windows Installer package. Legitimate for software installation, but can also install malware.
  • .bat / .cmd — Batch scripts. Run a sequence of commands in the Windows command processor.
  • .com — Legacy DOS executable. Still executes on modern Windows.
  • .scr — Screensaver file. Functionally identical to .exe — a favourite disguise for malware.
  • .pif — Program Information File. Another legacy format that runs executables.

Script Files

  • .js / .jse — JavaScript. When run outside a browser (via Windows Script Host), these have full system access.
  • .vbs / .vbe — VBScript. Commonly used in phishing attacks.
  • .ps1 — PowerShell script. Powerful and capable of anything an administrator can do.
  • .wsf / .wsc — Windows Script Files. Can combine multiple scripting languages.

Other Dangerous Types

  • .reg — Windows Registry file. Can modify system settings when opened.
  • .lnk — Windows shortcut. Can point to and execute any program with parameters.
  • .inf — Setup Information File. Can install drivers and modify system configuration.
  • .hta — HTML Application. Runs as a fully trusted application with system access.

Medium-Risk Extensions: Potentially Dangerous

These can contain embedded macros or exploit vulnerabilities in the applications that open them:

  • .doc / .xls / .ppt — Older Office formats that can contain macros
  • .docm / .xlsm / .pptm — Macro-enabled Office documents
  • .pdf — Can contain JavaScript and exploits targeting PDF readers (keep your reader updated)
  • .jar — Java archive. Executable if Java is installed.

Lower-Risk Extensions: Data Files

These are primarily data files that cannot execute code directly:

  • .txt — Plain text. Safe.
  • .jpg / .png / .gif / .webp / .svg — Image files. Generally safe, though very rare image parser vulnerabilities have existed.
  • .mp3 / .flac / .wav / .aac — Audio files. Safe in practice.
  • .mp4 / .mkv / .avi / .webm — Video files. Safe in practice.
  • .docx / .xlsx / .pptx — Modern Office formats (without macros). Low risk.
  • .csv — Comma-separated values. Safe as data, but beware of CSV injection when opening in spreadsheets.

How to Evaluate a Download

  1. Check the source. Is the website legitimate? Did you navigate to it directly or follow a link from an unknown source?
  2. Check the extension. Is it what you expected? If you clicked "Download PDF" but got an .exe, something is wrong.
  3. Enable "Show file extensions" in Windows. By default, Windows hides known extensions — a file named report.pdf.exe appears as report.pdf.
  4. Check the file size. A document that should be 500 KB but is 15 MB is suspicious.
  5. Scan with antivirus. Right-click the file and scan before opening.
  6. Check digital signatures. Right-click an .exe → Properties → Digital Signatures. Legitimate software from known publishers is signed.

Enable File Extension Visibility

Windows 11

Open File Explorer → View → Show → File name extensions.

Windows 10

Open File Explorer → View tab → check "File name extensions".

macOS

Finder → Preferences → Advanced → check "Show all filename extensions".

This single change makes it much harder for disguised files to fool you.

Archives Require Extra Caution

ZIP, RAR, and 7Z archives can contain any file type, including executables. Password-protected archives are a common malware delivery method because antivirus software cannot scan the contents before extraction.

Always check the contents of an archive before extracting and running anything inside it. If an archive contains unexpected .exe, .bat, .js, or .scr files, treat it as suspicious.

Frequently Asked Questions

Can images contain malware?

In theory, a specially crafted image could exploit a vulnerability in an image viewer. In practice, this is extremely rare and requires an unpatched viewer. Keep your software updated and the risk is negligible.

Is it safe to open .pdf files?

Generally yes, provided your PDF reader is up to date. Adobe Acrobat Reader and browser-based PDF viewers are regularly patched. Avoid opening PDFs from unknown senders in outdated software.

What about .iso files?

ISO files are disc images that can contain any files, including executables. Mount them and inspect the contents before running anything. Legitimate software distributors (e.g. Microsoft for Windows ISOs) provide checksums to verify authenticity.