Home > Top 10 > Windows File Types Used by Malware (2019)

Windows File Types Used by Malware (2019)

This article is set to explain and inform you on the most used file types that could eventually turn out to be malicious and infect Windows computers if they are executed on then and give you tips on how you can learn to manually spot such files and refrain from downloading them.

It was estimated that around 400 thousand new viruses infect computers on a daily basis. While conservative numbers, these are likely to increase in the years to come and what is scary is that almost 80% of those infections fall into infections with malicious file types. This si why, it is essential for today’s user to learn how to spot such files and thus prevent and infection from becoming a reality.

The infection methods have quite evolved the last few years, but what stays the same is the types of files used, which are generally the same Windows-based file types that are executable or could be embedded nefarious code in order to infect computers with malware. In this artice we will show you the different malicious files and explain more about how you can become compromised with malware by opening them.

Which File Types are Used Most Often to Infect PCs?

There are a lot of file types that serve different functions and with the proper coding skills or scripts available, they can be turned into obfuscated cyber-weapon to serve their masters’ purpose. The most often chosen files are the file types that can easily trick you into believing the file is legitimate, but I the same time the file itself can easily be masked from antivirus programs. Below you can see the most often chosen files that malware authors are using at the moment.

.DOC, .DOCX, .DOCM File Types (Microsoft Office documents)

.DOC, .DOCX, .DOCM File Types (Microsoft Office documents)

This set of files are becoming more and more popular among cyber-criminals. They often perform an infection as a result of getting the victims to open the file and click on “Enable Editing”. This triggers malicious macros that contain scripts which allow the infection to be conducted in a hidden manner. Usually the files are sent to victims via e-mails and they often pretend to be some form of invoices or other important documents.

In some occasions, to read the files, victims may be asked to click on “Enable Editing” and may mask the documents as “protected”, as in the case with ZeuS Trojan, whose infection document can be seen below:

.EXE File Types (Executables)

.EXE File Types (Executables)

These file types are basically the most often used file types by malware out there. They are used primarily by experienced coders, like the hackers who are behind GandCrab ransomware, who uploaded fake software cracks on a compromised WordPress site and anyone who searched the particular program’s crack, downloaded it and ran it from those sites, became compromised with GandCrab ransowmare. Here is how the web page, which is now taken down, looked like:

Another way in which executable files may be used is to pretend to be different types of programs the victim is trying to download from compromised and low-reputation websites, like torrent sites. The files viruses usually mask could be of any type, but they generally are:

  • Patches.
  • License activators.
  • Key generators.
  • Setups of programs.
  • Portable programs.

Users should really beware and are advised to run on-demand scanning procedures before opening those files, or uploading them on services, like VirusTotal.

.HTML, .HTA, .HTM File Types (Web Page Applications)

.HTML, .HTA, .HTM File Types (Web Page Applications)

It was the wave of ransomware attacks, like Cerber and Locky ransomware that used various types of compromised web pages, saved in .hta, .html and .htm file types. Following those attacks, the ransomware was put among one of the most effective malware against Windows 10, because of the exploit kit used with this particular infection mean. In addition to this, the files themselves are from the HTML web app type, that generally lead to an offline or an online page. They may contain hyperlinks or redirection scripts that may lead to a third-party host from which a drive-by-download can occur and you can get the malware’s payload this way.

.JS and .JAR File Types (JavaScript)

.JS and .JAR File Types (JavaScript)

These types of malicious files use the power of JavaScript which is becoming more and more useable nowadays. The files can also be spread as a result of e-mail spam messages, like the latest variant of GandCrab ransomware, does and that is to upload archives that pretend to be documents, but in fact are JavaScript files. The way such an attack happens, is when the victim receives the following e-mail:

From: Deanna Bennett <>
Subject: Payment Invoice #93611
Attachment: DOC402942349491-PDF.7Z

Dear Customer,
To read your document please open the attachment and reply as soon as possible.
Kind regards,
TCR Customer Support

When the victim extracts and executes the file, the infection commences:

.VBS and .VB File Types

.VBS and .VB File Types

The Windows Visual Basic script type of files are very dangerous and they have been asosicated with numerous big viruses, starting with Locky ransomware and Cerber ransowmare. The main reason why cyber-criminals tend to choose .VBS files is the skills to code in Visual Basic Environment. VBS is also such file that can be easily concealed by being added in an archive, which can make it untraceable by e-mail protection software.

.PDF File Types (Adobe Reader)

.PDF File Types (Adobe Reader)

Probably one of the latest trends that cyber-criminals use is to send .PDF files that have scripts embedded in them, which open Word Documents. This has bossted the .PDF file type as one of the main infection files used. The .PDF files often are attached in spam messages and in the, they conceal scripts, wcih open malicious documents, more specifically, the .DOCX, .DOCM and .DOC files, we mentioned earlier, that inect via macros. This document in a document strategy has so far worked quite well with victims and cyber-criminals prefer it a lot:

The main chain of activity used is that the victim opens the .PDF file itself and in it is writer to open a .docm file attached to it. The .docm file is actually the virus and once opened it may either infect by content enabling or directly infect the victim simply by being opened. This is especially successful with those “fast-clicker” types of users.

.SFX File Type (Self-Extracting Archives)

.SFX File Type (Self-Extracting Archives)

This method is very dangerous and was used by numerous big ransomware viruses over the years. The method includes Self Extracting archives that extract files, which run automatically on your computer. One of those examples was detected to use the .SFX files in combination with an extracted .VBS file which according to victims, disappears shortly after being extracted, suggesting an automatic execution may take place. The way it works is very similar to Windows installers. These file types use the malicious payload of the virus, and given some manipulation, they may automatically extract the virus payload and start it quietly. More sophisticated archives may even self-extract the payload files and delete themselves to avoid reverse engineering of their code to prevent infection in the future.

.BAT File Types (Batch files)

.BAT File Types (Batch files)

Even though, these files are not used as often as the other files on this list, it is very likely that an infection might occur using a .bat file. Not only this, but .BAT files remain one of the main reasons why viruses modify Windows after they have performed privilege escalation, since they run .bat scripts that execute commands in Windows Command Prompt. These commands are capable of doing anything that you can image, varying from deleting shadow copies and backed up files to connecting to third-party programs and download viruses on your computer. With the proper scripts and commands, batch files can break down Windows and also have the power to shut it down or restart it automatically.

.DLL File Types (Dynamic Link Library)

.DLL File Types (Dynamic Link Library)

The .DLL files are always among the payload files of almost any malware type. The primary reason for this is that they are often easily executed and obfuscated, because they can perform malicious functions that are undetectable. Not only this, but with the proper obfuscator, a .DLL file can successfully imitate Windows system file and this can allow it to create mutexes, and perform a lot of different malicious activiites, like delete Windows Files, escalate privileges of the virus file to administrative ones and also perform multiple types of modifications in the Windows Registry Editor, like create value entries with custom data within them. Furthermore, they can also execute DLL errors that may trick victims or notify them that their system is compromised in a way. But since most viruses aim to stays silent, pop-up is not something that you will likely see if your PC has been infected.

.TMP File Types (Temporary Files)

.TMP File Types (Temporary Files)

Temporary files exist for one purpose and this is to store data on your PC, while you are using some type of software. They are used so that the program can remember settings and start easily. Since every malware is a program all on it’s own, it also relies on TMP files to hold data on the infection. This data may be related to the actions the virus may perform and may also be used to relay information that is collected from the hacker behind the virus in question. If you have detected a .TMP file that is malicious, the simple removing of it may not stop the virus, but may restrict it. But many viruses restrict users from doing so by disabling write permissions over the file.

.PY File Types (Python)

.PY File Types (Python)

These file types are especially popular among Python coders. Python is a language which can be used to create scripts for ransomware viruses, like HolyCrypt Ransomware. These viruses aim to encrypt documents, photos and many other types of files, the main purpose of which is to convince users to pay hefty ransom to get them back. But Python files may also be used in relation to other malware as well, such as viruses that may be created with the primary idea to perform fileless and undetectable behavior, like many spyware and botnet type of malware.

Custom File Types

These types of files are usually virus modules or support files of the malware itself and they can work only with the virus program. They may be absolutely any extension, ranging from the virus’s name to some humorous extensions, like .exeeee, .iamavirus, .fun and others.

Other Malicious File Types

Besides the main malicious file types, you can still have some other payload and manipulated types of files, which are designed for very specific purposes. These files tend to serve concrete functions to the viruses they aim to infect with or support. Here are some of those files below:

.MSI File Type (MSI Installers)

These are installer types of files that are used in order to situate various types of programs on the computers of victims and they are often used in the form of setups for software. Malware authors may use these .MSI files to slither malicous executables and set them to be activated, when you click o “Finish” of the program you are trying to install. Usually these programs are often downloaded free software from third-party sites, like your favorite file converter, movie player and other software.

.MSP File Type (Patch Installers)

Serving the same purpose as .MSI files, the .MSP files are oriented towards patching and a hacker may use them in order to modify these files with the main idea to get them to be added automatically on the computers of users. These files represent fake patches that may compromise any program you may have on your computer towards malicious activities and turn it against you, besides infecting your PC with malware.

.GADGET File Type (Windows Desktop Gadgets)

These files are basically the Windows gadgets that were available with previous Windows versions, like 7 and Vista. They were often compromised with malware back then and the scarry part is that they are still used today, so many exploits on Windows machines that are not updated effectively could fall victims to Trojans, miner viruses and other types of malware.

.PS1, .PS1XML, .PS2, .PS2XML, .PSC1, .PSC2 File Types (Shell Scripts)

These file types are specific in the sense that they have been made In order to run PowerShell commands automatically and in the background of the victimized machine. If the hackers obtain administrator privileges, these files may be a big menace for your computer, because they can run almost any command on Windows PoweShell as an administrator, which basically means full control of the system.

.LNK File Type (Shortcuts)

These types of shortcuts are used primarily to link software the is usually locally stored on the victim PC. It may trigger the virus file if properly configured and this has happened quite a while now and this is why it is considered among the dangerous files. In addition to this a shortcut can also trigger scripts which can launch malicious programs or delete specific files on the compromised computers.

.INF File Type (Text files)

These files are not ggenerally dangerous, but they can often perform various activities that can be combined to launch programs. And if those programs are malware, this makes .INF files also of a malicious type.

.SCF File Type (Windows Explorer)

These files are basically the link to Windows Explorer activities and they can be modified in order to perform malicious actions and manipulate the explorer.exe process which can ultimate lead the victimised computer to malware infection. They are also used for post-infection activities very often as well.

Conclusion and How to Protect Yourself

Knowing the file types that can lead to infection is sure beneficial, but knowing this in combination with how you can protect yourself effectively before opening a file is the best protection system. Since viruses are a very dynamic environment and they change daily, there could be some particular infections that you may not yet be aware of, since they may be unused before. This is the main reason why we advise you to follow the following tips in order to build-up a virus protection philosophy and know the next time a virus is out to gain control over your computer.

Tip 1: Make sure to install the appropriate protection software.

Tip 2: Learn how to safely store your important files and hence protect them from file encryptors or other malware.

Tip 3: Learn how to protect your computer from malicious e-mails.

Tip 4: Always make sure you scan a downloaded file. For archives, you can use the service Zip-e-Zip and for various file types and web links that you believe are malicious, you can use VirusTotal online scanner. Both services are completely free.

Tip 5: If you are ok with it, use Sandboxing, it is a very effective method to isolate malware within encrypted sandbox code, even if you do not have the proper protection. A good program to start with is Sandboxie.

Ventsislav Krastev

Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share