Hafiz Shamnad

Posted on Feb 25

Day 12 — I Built a File Safety Checker in Python (and Accidentally Learned How Malware Tricks Humans)

#python #beginners #linux #cybersecurity

A simple cybersecurity tool that turned into a lesson about trust, psychology, and why file extensions lie.

The Moment That Started It

A friend of mine once received a file through chat.

The name looked harmless:

invoice_march.pdf.exe

He almost opened it.

Almost.

That single moment stuck in my head. Not because malware is advanced… but because it didn’t need to be.
The attack relied on something much simpler:

Human assumptions.

We don’t read filenames carefully. We pattern-match.

We see pdf → brain says document → double-click.

So I wondered:

Can I build a small tool that warns people before they open something dangerous?

I thought it would take a day.

It turned into one of my favorite cybersecurity Python projects.

Where It Started (7 Lines)

My first version was painfully simple:

dangerous = [".exe", ".bat", ".cmd", ".scr", ".js", ".vbs", ".msi"]
filename = input("Enter file name: ").lower()

if any(filename.endswith(ext) for ext in dangerous):
    print("Suspicious file! Do NOT open.")
else:
    print("Looks safe (based on extension)")

It technically worked.

But it was basically a digital version of a security guard who checks only the color of your shirt.

Problems:

No real file scanning
No context
No different risk levels
No useful advice

I wanted something closer to a real security tool.

So I kept building.

Upgrade #1 — Threat Levels

Not every suspicious file is equally dangerous.

Opening a .pdf is not the same as executing a .exe.

So I designed a threat classification system:

🔴 CRITICAL

Direct executables

.exe .bat .cmd .dll .scr .msi

These can run code immediately.

🟠 HIGH

Scripting payloads

.js .vbs .ps1 .reg .hta

Often used in phishing emails and Windows attacks.

🟡 MEDIUM

Conditional risk

.py .sh .jar .docm .iso

Danger depends on how it is used.

🔵 LOW

Usually safe but exploitable

.pdf .zip .doc

Safe most of the time… but attackers love hiding here.

Now instead of a boring “safe/unsafe”, the tool explains why a file is risky.

The Sneakiest Trick: Double Extensions

Here’s the real villain.

photo.jpg.exe
document.pdf.exe
resume.docx.scr

Windows hides known extensions by default.

So users only see:

photo.jpg

But the OS runs:

photo.jpg.exe

That’s not hacking.

That’s social engineering.

My checker now automatically detects this and raises a critical warning.

Upgrade #2 — Scanning Real Files

The tool now accepts an actual file path and extracts metadata:

It shows:

File size
Last modified time
MIME type
SHA-256 hash

The hash matters a lot.

If a website claims:

“Download our official installer”

You can compare the hash.

If it doesn’t match, the file is not the same file.

No guessing. Just math.

Three Ways to Use the Tool

1) Interactive Mode

python file_checker.py

Scan multiple files one after another like a mini terminal application.

2) Single File Scan

python file_checker.py suspicious.exe -v

Instant analysis + metadata.

3) Directory Scan

python file_checker.py -d ~/Downloads

This one is powerful.

Your downloads folder is basically a wildlife reserve for questionable files 🐍

The script scans everything and summarizes results.

What I Actually Learned

This project taught me more cybersecurity than many theory classes.

1. File Extensions Are Lies

Extensions are just labels.
They are not security.

Real security tools inspect file headers, not names.

2. Python Standard Library Is Underrated

I used:

hashlib for hashing
argparse for CLI
pathlib for file handling
mimetypes for detection

No external libraries.

Python already had everything.

3. Good CLI UX Matters

Security tools fail if people don’t use them.

So I added:

Color output
Clear warnings
Contextual advice
History in interactive mode

A security tool should feel helpful, not scary.

What This Tool Cannot Do

This is important.

This is not antivirus.

Limitations:

No malware signature detection
No behavioral analysis
No packed malware detection
No online database lookup

It’s a first-line warning system.

Think of it as a digital friend saying:

“Wait… are you sure you want to open that?”

Sometimes that 2-second pause prevents infection.

What I Want To Add Next

Future ideas:

VirusTotal hash lookup
File header inspection (magic bytes)
Real-time folder monitoring
JSON output for automation

Especially VirusTotal. That would make it genuinely useful.

Final Thoughts

Cybersecurity is not always about advanced exploits.

Many attacks succeed because:

users trust filenames
systems hide extensions
people click fast

This tool won’t make you invincible.

But it will stop the most common mistake:

Opening the wrong file.

And honestly… that’s how a lot of compromises begin.

If you’re learning Python and cybersecurity, build tools like this.
You’ll learn file handling, hashing, CLI design, and threat modeling in one project.

Also:

Your downloads folder deserves suspicion.

Stay curious. Stay careful.