Windows File Extension List: Types of Files Exploited by Malware

Windows File Extension List: Types of Files Exploited by Malware

There are various file types and extensions that may be dangerous to the computer because they have been employed by malware. The average PC user may find it difficult to differentiate malicious from ordinary program files. Luckily, there are some ways to recognize potentially dangerous file extensions and avoid infecting the computer.

The types of files that malware tends to exploit the most are:

  • .exe
  • .com


  • Macros

However, not all files containing the extensions mentioned above are threatening. One way to tell is by identifying how the file is trying to reach you. Is it sent via email by an unknown sender, or did a download box appear after landing on a suspicious website? If so, chances are you have been targeted by a piece (or pieces) of malicious software and should be extra cautious.

If, however, you are not certain about the file’s origin and believe it may be safe, saving it to a folder and scanning it via antivirus software will clear away any suspicions. A free online scanning service can be used as well. Some services provide the option to upload a file, or scan a suspicious URL.

What Are the Most Common File Extensions?

According to Microsoft, there are five most popular extension names. It appears that they are often used by cyber minds for the purpose of distributing malware:

  • .exe – program file.
  • .com – MS-DOS program.
  • .pif – Shortcut to MS-DOS program.
  • .bat – batch file.
  • .scr – screen saver file.

Also, keep in mind that:

→Certain viruses have been identified to exploit two extensions in the attempt to make them more credible. For instance, FileName.txt.exe or PhotoName.jpg.exe. Microsoft security experts highlight that it is not typical for regular files to have two extensions. If you see such a file in your system, do not open it and proceed towards seeking professional anti-malware help.

Even theoretically, some files are more dangerous than others. For example, text (.txt) and image files (.jpg, .gif, .png) are safer than .exe files and macros. Nonetheless, knowing the source of the file is crucial both to the system’s security and the user’s private data. Some of the ‘safer’ files such as .jpg can still be designed to exploit the system’s vulnerabilities, even though such cases are extremely rare and timely fixed.

An important fact to remember: media files – .jpg, .png, .gif and .MP3 – do not contain code and thus, they are considered less dangerous in the sense of malware distribution. In that relation, knowing exactly which files can be exploited by cyber criminals is extremely important.

As you may have guessed, those are the files that contain code. According to their exact type, the files can be compiled in four groups: programs, scripts, shortcuts, and Office macros.

Program files:

.GADGET – A gadget file designed for the Windows desktop gadget technology, first included in Windows Vista.

.MSI – Stands for ‘Microsoft installer file’ and is mostly used to install other applications on the system. However, apps can also be installed by .exe files.

.MSP – A Windows installer patch file that is employed to patch applications used with .MSI files.

.COM – Used by MS-DOS.

.SCR – A Windows screen saver file that may contain executable code.

.HTA – An HTML application.

.CPL – A Control Panel file.

.MSC – A Microsoft Management Console file, such as the disk management tool.

.JAR – .JAR files contain executable Java code.


.BAT – A batch file that contains a list of commands that run when the file is open.

.CMD – Also batch file that is similar to .BAT. Introduced in Windows NT.

.VB and .VBS – A VBScript file.

.VBE – An encrypted VBScript file, what it may do once executed is often unclear.

.JS – A JavaScript file typically used by web pages. They are safe if used in Web browsers. Nevertheless, Windows will also run .JS files outside the browser.

.JSE – An encrypted JavaScript file.

.WS and .WSF – A Windows Script file.

.WSC and .WSH – Stand for Windows Script Component and Windows Script Host control files.

.PS1, .PS1XML, .PS2, .PS2XML, .PSC1, .PSC2 – A Windows PowerShell script that is used to run PowerShell commands in the order cited in the file.

.MSH, .MSH1, .MSH2, .MSHXML, .MSH1XML and .MSH2XML – A Monad script file. Monad is the old name of PowerShell.


.SCF – A Windows Explorer command file. It can be used to employ malicious commands to Windows Explorer.

.LNK – A link to a program on the PC. It may be used to delete certain files without asking for permission.

.INF – A text file used by AutoRun. It may be employed to launch malevolent applications.

Office Macros:

.DOC, .XLS, .PPT – Microsoft Word, Excel, and PowerPoint documents. Often used by cyber criminals to target businesses, e.g. banks.

.DOCM, .DOTM, .XLSM, .XLTM, .XLAM, .PPTM, .POTM, .PPAM, .PPSM, .SLDM – File extensions introduced in Office 2007. The M serves to indicate that the file contains Macros. They are different from .DOCX files.

Other file extensions:

.chm – an HTML file compiled by Microsoft.

.drv – Windows device driver.

.vxd – Windows virtual device driver.

.dll – a Dynamic Link Library file.

.swf – stands for ShockWaveFlash – an animated vector format designed for the Web.

Banking Trojans Using Macros

Recent attacks indicate that cyber criminals employ macros to spread malicious software. In most cases, banking Trojans are delivered through enabling macros. Usually, such malicious campaigns are designed to trick users into opening an email attachment, typically a Microsoft Office document. Malicious macros are enclosed in the document, consisting of commands to download and execute a malware dropper. A recent case of an attack in the UK spreading Dridex Banking Trojan even employed a .GIF image, proving that even ‘safer’ files can be used in malicious architecture.

*Article Sources:

*Image Source:

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.