A double extension file is a file that displays two different extensions at once, one after another. The second extension describes the actual file format, while the first extension simply abuses the text box allocated for naming the file.

Threat actors frequently use this double extension file naming method to hide malicious files from unsuspecting victims.

For example, an email attachment displaying the name privatereport.pdf could actually be a malicious executable with the hidden full name privatereport.pdf.exe.

Naming a file with a fake secondary extension abuses a feature present in many file management programs that hides a file's extension from a user’s view, displaying only the file name and file icon instead.

Unfortunately, it’s trivial for threat actors to also change the file icon that file management programs display to the victim. By matching a fake extension with a congruous file icon, threat actors can manipulate victims into clicking on apparently innocent files without a second thought.

Carrying on the earlier example, privatereport.pdf.exe might display a completely normal looking PDF icon next to the file name privatereport.pdf displayed to the victim.

Mitigating Attacks with Double Extension Files

Double extension files can be an extremely effective attack vector when they’re shared in phishing emails that use especially targeted social engineering messages (i.e., Spear Phishing) to trick a prospective victim. Malicious executables will run malware directly after opening – a best-case-scenario for threat actors – and that alone makes it worthwhile to put extra effort into attacks utilizing double extension files.

The first and most important step towards mitigating double extension file attacks is, as always, rigorous user training. Users should question every element of an email originating from an external server, and they should preview or hover over suspicious attachments in these emails without opening them.

Detecting Double Extension File Attacks with Cloudmersive

The advanced iteration of the Cloudmersive Virus Scan API can be deployed at the network edge to scan all files (including double extension files) for viruses, malware, and a wide range of additional content threats. The Advanced Virus Scan API will perform in-depth verification on each scanned file, returning the verified file format in the response body. Custom threat rules can be set in the API request body (or from the Cloudmersive Account Management Portal) to block specific threats including executables, macros, scripts, password protected files, and more.

For example, no matter how convincing a threat actor made the malicious file look, the file privatereport.pdf.exe described above would match .exe file formatting standards rather than .pdf file formatting standards. With the custom threat rule allowExecutables set to False, this file would return a “CleanResult”: False response, and the file could be subsequently quarantined or deleted outright.

For more information on the Cloudmersive Virus Scan API and its various deployment options, please feel free to contact a member of our team.