Short answer

A security guide to interpreting local file triage based on filenames, MIME, magic bytes, double extensions, entropy, and bounded content samples.

01

A filename is a signal, not proof

Double extensions such as report.pdf.js can present a document-like name while the final extension remains executable. Dots, spaces, look-alike Unicode characters, and excessive length can obscure the visible type. These signals increase suspicion but do not prove malware.

An allowlist accepts only the small set of formats a workflow actually needs. Browser triage can normalize the name, extract the final extension, and report risky combinations without opening the file. Renaming does not change content, so further checks remain necessary.

02

Why compare MIME and magic bytes?

The MIME value reported by a browser can come from the file or operating system and is not sufficient for a security decision. Magic bytes identify the opening signature of formats such as PDF, PNG, JPEG, ZIP-based Office documents, and some executables.

A .jpg extension with a PDF or executable signature is a meaningful mismatch. Polyglot files and malformed or proprietary formats can still defeat simple rules. Signature checking is not a complete parser or sandbox.

  • Treat extensions as interface hints.
  • Do not treat MIME as security proof.
  • Compare signatures with a narrow type allowlist.
  • Use mismatches to stop automatic processing.
03

What bounded sampling can find

Sampling the beginning and end as text can expose obvious markers such as encoded PowerShell commands, script tags, macro relationships, or a shebang. Size limits and bounded reads provide fast triage without loading an entire large file into memory.

The method can miss compressed archive members, encrypted payloads, obfuscation, or content in an unsampled middle section. High entropy may indicate compression or encryption; it is not a malware verdict. No finding never means the file is safe.

04

A safer decision workflow

Do not open a suspicious file, preview it, or enable macros. Verify the source, keep it quarantined, and use current professional anti-malware or a controlled sandbox for independent analysis. An organization's incident procedure takes priority.

Local triage avoids unnecessary third-party upload, but the selected file is still read in browser memory. Process personal or confidential material only with authorization. A SHA-256 digest can compare integrity; it does not authenticate origin or safety.

Sources and verification

The following primary and official documentation was checked for this guide. Review each source's current version and change date as well.

  1. OWASP: File Upload Cheat Sheet
  2. OWASP: Input Validation Cheat Sheet
RELATED TOOLS

Put this guide into practice

51Local File Risk Pre-ScanInspect extension, signature, double extension, macro indicators, and bounded content samples without uploading.28EXIF / Metadata CleanerInspect sensitive JPEG and PNG metadata locally and download a clean copy.18SHA-256 Digest GeneratorCalculate a SHA-256 integrity digest with Web Crypto.
Editorial method

Content is checked against visible ByteQuant product behavior and the listed primary sources where available. It is general information, not legal or security advice.

Turn guidance into action

Start working on-device with 62 tools

Explore tools