Extension / MIME Mismatch
The file's actual content type, identified from its byte signature, does not match the extension declared in its filename.
Every file format has a recognizable byte signature — a fixed sequence of bytes at the start of the file that identifies what it is. An EXE starts with MZ. A ZIP (and Office document) starts with PK. A PDF starts with %PDF. These signatures exist independently of the filename or extension.
An extension mismatch means the signature-identified type and the extension-declared type are inconsistent. The file is not what its name says it is.
Severity is calibrated to risk direction — not all mismatches are equally dangerous:
| Severity | Scenario | Rationale |
|---|---|---|
| HIGH | PE executable (MZ) with a benign extension (.pdf, .docx, .jpg) |
Primary social engineering scenario. The file executes if the user opens it through a method that respects the actual type. |
| MEDIUM | Archive file (PK) with a benign extension |
An archive posing as a document requires an additional extraction step to execute — lower immediate risk, but still deceptive. |
| LOW | Other type mismatches (e.g., PDF named .txt) | Structurally inconsistent but not a typical attack pattern. May be accidental or a tooling artifact. |
Operating systems use file extensions to determine how to open files. A file named invoice.pdf will open in a PDF reader regardless of its actual content. If the file is actually a Windows executable, the PDF reader will fail to parse it — but the user may be prompted to try another application, or the file may be forwarded, stored, or extracted through a process that respects its actual type.
Email security gateways and endpoint controls frequently make allow/block decisions based on file extension. An executable delivered as .pdf may bypass extension-based controls entirely. This technique has been used in phishing campaigns, malicious email attachments, and drive-by download payloads.
The mismatch is evidence of deliberate deception in the HIGH and MEDIUM cases. Accidental mismatches (a text file renamed to .pdf for convenience) do happen, but they are the exception — particularly when the actual type is an executable.
Both inputs to this finding are directly readable: the file's magic byte signature is read from the first bytes of the uploaded data, and the extension is read from the filename string. The mismatch is a direct comparison result requiring no inference. No pattern matching, no heuristics — the two values either agree or they do not.
- Do not open, execute, or extract a file that shows a HIGH severity mismatch. An executable disguised as a document is a strong indicator of malicious intent.
- Do not rename the file and try again. The content doesn't change with the name — the risk is in what the file actually is, not what it's called.
- For MEDIUM mismatches (archive with benign extension), inspect the archive contents before extracting. Look for executables, scripts, or macro-enabled Office files inside.
- Report to your security team if the file arrived via email or external download. Preserve the original as evidence.
- For LOW mismatches, investigate whether the mismatch is a tooling artifact (some converters produce mismatched MIME signatures) before concluding it is malicious.