Safe ways to open suspicious documents

The file on your desktop might already be running

This is not a hypothetical. Malicious PDF and Office documents exploit vulnerabilities in the software you use every day to read them. When you double-click a compromised file, code can execute before you see a single page of content. By the time you close the file and think "that looked fine," keyloggers may already be installed, your passwords may already be transmitted to a remote server, and your files may already be in the process of being encrypted.

This is not a niche attack. Weaponized documents are the most common initial access method for ransomware groups targeting individuals and small businesses. In 2023, over 40% of all malware delivery occurred through document files — specifically PDFs, Word documents, and Excel spreadsheets.

Before you open anything

• Were you expecting this file? Unexpected documents from known contacts may indicate their account was compromised — attackers routinely use hijacked email accounts to deliver malware to address book contacts.
• Check the full file extension — a file named "invoice.pdf.exe" is an executable disguised as a PDF. Enable file extension visibility in your OS settings to see this.
• Check the sender's actual email address — not just their display name.
• Does the context make sense? An unsolicited "contract" from a company you've never contacted is almost certainly malicious. Even expected documents warrant care.

Safe examination methods — ranked by security level

• Upload to MountainShield for advisory review — we examine the file in an isolated environment and assess it for known malicious patterns, embedded links, and behavioral indicators. You get a clear recommendation without any local risk.
• Open in a cloud viewer (Google Drive or Office 365) — upload the file and open it via the web viewer. Macros will not execute, and embedded exploits are sandboxed by the cloud environment. This is the fastest safe option for most users.
• Use an online behavioral sandbox — services like any.run or Joe Sandbox execute the file in a controlled virtual environment and show exactly what it tries to do: what network connections it makes, what files it creates, what processes it spawns.
• Open on an isolated secondary device — a device you do not use for sensitive work, that can be wiped if necessary. Not your primary device.
• Use a virtual machine — a snapshotted VM provides the strongest isolation for technically proficient users. Open the file, observe behavior, revert to snapshot.

Signs the document is malicious

• The document asks you to "enable content," "enable macros," or "enable editing" to see the full content — this is a social engineering trigger to activate malicious code
• The visible content is intentionally blurred, covered by an image, or shown as a screenshot — a technique used to force you to click "enable"
• The document opens and immediately prompts for credentials or redirects to a login page
• Your device slows significantly or shows unexpected network activity after opening
• Your security software generates a warning — even if you dismiss it, take it seriously

What to do if you already opened it

Disconnect from the internet immediately. Do not close your security software — let it scan. Do not enter any credentials into any application until you have verified your device is clean. If the file asked you to enable macros and you did, treat the device as potentially compromised and seek professional assistance.

Submit the file and context to MountainShield. We can help you assess what likely happened and what to do next.