Understanding Malicious Files with Double Extensions | Stewart Title Blog

"The devil is in the details," or so they say. Today I want to explain a technique that serves absolutely no legitimate purpose other than a malicious one: double extension. In the Microsoft® Windows® world the file extension is critical as it indicates which program will open the file. For example, document.doc will be opened by Word, but document.txt will be opened by Notepad. Every possible file extension in the Windows operating system has a program associated with it. If it doesn't, Windows will ask you what program to use. Straightforward so far? It’s important to be aware that some extensions are very dangerous. An attacker who wants to deceive his victim into thinking he or she is opening a legitimate document (.doc) instead of a malicious program will create a double extension. In this example (image 1), the default Web browser, rather than Microsoft Word, will open the attached "Scanned.doc.htm" file. Only the last three or four letters after the right-most period determine the file extension. Any other dots in the file name are just nonsensical parts of the file name, which are ignored by the operating system.


http://blog.stewart.com/stewart/wp-content/uploads/sites/11/2019/06/57390061_571322236691375_7361251101242294272_n.jpg

This example was a relatively benign attack, however, as the criminal was trying to convince the recipient that the attached file was a Word document. A more serious offense of the same type would be if the file extension ended with ".com" (executable) or ".vbs" (script) or ".ps1" (PowerShell®). If you were to open those, you would be in real trouble. All these extensions are associated with the execution of whatever is inside the file.

Now, let's see what would happen if you didn't report this as malicious and, instead, opened it. If you were to open "Scanned.doc.htm," your default browser would open the page (image 2), which would show nothing but an empty Web page with a link inside. If you were to click on the link, you would end up on the phisher's website (image 3) prompting you for credentials. (And yes, it is known to be a phishing site.)


http://blog.stewart.com/stewart/wp-content/uploads/sites/11/2019/06/58377709_571322263358039_3841328434970099712_n.jpg


http://blog.stewart.com/stewart/wp-content/uploads/sites/11/2019/06/57555431_571322300024702_4897819028904476672_n.jpg

So, what did we learn today? If you see any attachments with a double extension, delete the entire email immediately. It will never be legitimate.

Think before you click.