What are sample files used for?

Sample files are used by developers, QA engineers, and designers to test file upload functionality, validate parsers, prototype applications, and verify format support. They provide well-formed examples of real file formats without sensitive data.

Are the sample files free to download?

Yes, all sample files on File Examples are completely free to download. No registration, no limits, and no hidden fees. You can use them for testing, development, and educational purposes.

What file formats are available?

File Examples offers 1000+ sample files in 700+ formats across 50 categories including documents, images, audio, video, code, scripting, AI/ML, blockchain, gaming, firmware, security, science, IoT, DevOps, medical, accessibility, automation, education, legal, API, localization, and many more.

Can I use these files for testing my application?

Absolutely. All files are well-formed, valid examples designed specifically for testing. They contain proper headers, metadata, and realistic content structures — ideal for QA testing, CI/CD pipelines, and development workflows.

How do I download a sample file?

Browse categories or search for a specific format, click on the file you need, and hit the Download button. The file downloads instantly — no signup or email required.

Critical severity

Double Extension: document.pdf.exe

A file using a double extension like 'report.pdf.exe' that appears as a PDF in Windows Explorer (which hides known extensions by default) but is actually an executable.

How This Attack Works

Windows hides known file extensions by default. A file named 'report.pdf.exe' displays as 'report.pdf' with a PDF-like icon if the attacker sets the right icon resource. Users believe they're opening a document but actually run an executable. This technique has been used in countless malware campaigns.

Attack Vector

Attacker sends email with attachment 'invoice.pdf.exe'. Windows hides .exe extension. User sees 'invoice.pdf' and double-clicks. Executable runs with user privileges.

Real-World Example

The CryptoLocker ransomware (2013) spread via email attachments using double extensions like .pdf.exe and .doc.scr. The ILOVEYOU worm (2000) used LOVE-LETTER-FOR-YOU.TXT.vbs.

Vulnerable Code

// UNSAFE: Only checking first extension
const ext = filename.split('.')[1]; // Returns 'pdf'
if (['pdf', 'doc', 'txt'].includes(ext)) {
  allowUpload(file); // Allows .pdf.exe!
}

Safe Implementation

// SAFE: Check the LAST extension
const ext = filename.split('.').pop()?.toLowerCase();
const dangerous = ['exe','scr','bat','cmd','vbs','js','ps1','msi'];
if (dangerous.includes(ext || '')) {
  reject("Dangerous file type");
}
// Also check for multiple extensions
if ((filename.match(/\./g) || []).length > 1) {
  flag("Multiple extensions detected — review manually");
}

Safe Handling Guidelines

Enable 'Show file extensions' in Windows. Check the actual file extension server-side, not just the first one. Block dangerous extensions (.exe, .scr, .bat, .cmd, .vbs, .js, .ps1) in upload handlers regardless of preceding extensions.

Affected Platforms

WindowsEmail clientsFile sharing servicesWeb upload forms

Related Security Demos

MIME Spoofing: Executable Disguised as PDF

mime-spoofing · critical

Right-to-Left Override: Filename Direction Trick

double-extension · critical

Related Tools & Resources

MIME Detector Checksum Generator Edge-Case Library Compatibility Matrix