Identify an Unknown File Type by Its Real Format

A file with no extension or the wrong one still tells you what it is. Here's how to read its true format and spot a dangerous mismatch.

Updated 6 min read By CodingEagles
Free tool File Type Detector & Hex Viewer Identify a file by its signature and inspect its raw bytes. Open tool

You double-click a file and nothing happens. Or it opens in the wrong program and shows garbage. Or you have an email attachment named invoice.pdf and something about it feels off. In every one of these cases the filename is failing you, and the only thing that can answer the question “what is this, really?” is the file itself.

This guide explains how a file’s true type is worked out from its own contents, when you’d reach for that, and how to read what the file type detector tells you. Everything below happens in your browser. The file you check never leaves your device.

Why a file’s extension can’t be trusted

An extension is just the few letters after the dot in a filename, and it’s plain text that anyone can edit. Renaming cat.jpg to cat.pdf changes nothing about the actual image data. Your computer leans on the extension as a shortcut for picking a program to open the file, but it is a label, not proof.

Extensions go wrong in three common ways:

  • Missing. Files exported from servers, pulled out of archives, or transferred between systems often arrive with no extension at all. The data is intact, but your operating system has no hint about which program to use.
  • Wrong. A download interrupted partway, a save dialog with the wrong type selected, or a copy-paste that dropped the suffix can leave a perfectly good file wearing the wrong name.
  • Misleading on purpose. This is the one that matters for safety. An attacker can name an executable holiday-photos.jpg so it looks harmless in your inbox. The name says image. The contents say program.

Because the label is so easy to fake or lose, you need a way to ask the file directly.

How the real format is identified

Most file formats announce themselves in their opening bytes. Near the very start of a JPEG, a PDF, a PNG, a ZIP, an MP4, there’s a short fixed pattern that’s the same in every file of that kind. Think of it as a fingerprint stamped into the front of the file. A type detector reads that opening pattern, compares it against a library of known fingerprints, and reports the match. The filename is never consulted.

This is why detection is reliable where extensions are not. You can rename a file a hundred times, but you can’t rename what’s inside it without actually changing the data. The signature stays honest.

Why some files report a “container” type first

A few formats are built as containers. A Word document, an Excel sheet, an EPUB ebook, and many app save-files are really ZIP archives with a known folder structure tucked inside. Their opening fingerprint looks exactly like a plain ZIP, so an honest first answer is “ZIP archive.” A capable detector goes one step further and looks at the names of the files packed inside to tell you it’s specifically a Word document or a spreadsheet. If you ever see a bare “ZIP” result for something you expected to be an Office file, that’s normal, not a failure.

When you actually need this

You don’t reach for a type detector every day. You reach for it at the exact moments a filename has stopped being useful:

  • A file with no extension. You’ve got a file called export or data with nothing after it, and you need to know what to open it with.
  • A download that won’t open. The file claims to be one thing, your program refuses it, and you suspect the real format is different from the name.
  • A suspicious attachment. Something arrived unexpectedly and you want to confirm its real type before you go anywhere near it.
  • Sorting a pile of recovered files. Data recovery and forensic exports frequently produce files stripped of their original names. Detection lets you sort them back into types.

How to read the result

Drop your file in and the detector gives you a plain answer: the detected format, usually with both a friendly name (such as “JPEG image” or “PDF document”) and the technical type that programs use behind the scenes. Alongside that, you’ll often see a small confidence indication and a short hex view.

The detected type is the headline. If it matches what you expected, you’re done, and now you know which program to assign. If it doesn’t match the extension on the name, keep reading the next section, because that gap is the interesting part.

Making sense of the hex view

The hex view shows the raw opening bytes of the file in two columns. On the left, each byte is written as a pair of characters using the digits 0 to 9 and letters A to F, which is just a compact way to display the numbers a computer stores. On the right, the same bytes are shown as text where they happen to be readable.

You do not need to memorise any of it. The reason it’s shown is so you can see the fingerprint with your own eyes. Many formats leave human-readable clues right there at the start: a PDF literally begins with the letters PDF, a PNG shows PNG a couple of bytes in, a ZIP shows PK. Spotting those in the readable column is a quick sanity check that the detected type is right.

The security angle: when the name and the type disagree

This is the part worth slowing down for. A mismatch between the extension and the real detected type is one of the cleanest warning signs you can get for free.

Consider the table below.

Filename saysDetector reportsWhat it likely means
report.pdfPDF documentConsistent. Normal file.
photos.jpgJPEG imageConsistent. Normal file.
invoice.pdfWindows executableDanger. A program dressed up as a document.
update.docScript or archiveSuspicious. Worth deleting unopened.

The first two rows are what healthy files look like: the name and the contents agree. The last two are the pattern attackers rely on. They give a dangerous file a boring, trustworthy-looking name and count on you trusting the label. A detector strips the disguise off in seconds because it ignores the name entirely and reports what the bytes actually are.

A mismatch is not always malicious. A renamed download or a wrongly saved export can produce a harmless mismatch too. But the rule is simple: if the real type isn’t what the name promised, stop. Don’t open it, don’t run it. Find out why the two disagree before you do anything else. For files you trust but want to confirm haven’t been altered in transit, pairing this check with a checksum gives you both halves of the picture: what the file is, and whether it’s exactly the copy you expected.

A quick mental checklist

When a file’s identity is in doubt, run through this:

  1. Does it have an extension? If not, the name tells you nothing. Go straight to detection.
  2. Does the detected type match the extension? If yes, you’re fine. If no, treat it as a red flag.
  3. Does the readable part of the hex view back up the detected type? A quick second confirmation costs you nothing.
  4. For anything unexpected or unsolicited, let a “no” on step 2 be a full stop, not a speed bump.

Reading a file’s true type takes a few seconds and asks nothing of you beyond dragging it into the page. The whole check runs locally in your browser, so even a file you don’t trust stays on your own machine the entire time.

Frequently asked questions

Can I trust a file's extension to tell me what it really is?
No. The extension is just text in the filename that anyone can change. Renaming a photo to report.pdf does not turn it into a PDF. The only reliable way to know a file's real type is to read the format markers stored inside the file itself, which is what a type detector does.
How does a tool know the file type when there's no extension?
Most formats begin with a short, fixed pattern of bytes called a signature. JPEGs start one way, PDFs another, ZIPs another. A detector reads those first bytes, matches them against a list of known signatures, and reports the format. The filename plays no part in that decision.
Is it safe to check a suspicious file this way?
Yes, because the tool only reads the file to inspect its structure. It never runs or opens the file the way a program would, so nothing inside it can execute. Everything happens in your browser on your own device, and the file is never uploaded to a server.
What does it mean when the real type doesn't match the extension?
It usually means someone changed the name, by mistake or on purpose. A harmless cause is a download saved with the wrong suffix. A dangerous cause is a program disguised as a document. Treat any mismatch as a reason to stop and look closer before opening it.
Why does the result sometimes show a generic type like 'ZIP archive' for an Office document?
Modern Office files, EPUBs, and many app formats are really ZIP containers with a specific folder layout inside. The outer signature looks like a ZIP, so that's the honest first answer. A good detector then peeks inside to tell you it's a Word or Excel file.
Will this work on very large files?
Yes. Identifying a type only needs the first few bytes of a file, so size does not matter for detection. The tool reads a small slice from the start rather than loading the whole thing, which means even multi-gigabyte files are identified almost instantly.

Ready to try it?

Identify a file by its signature and inspect its raw bytes. Free, in-browser, and 100% private — your data never leaves your device.

Open the File Type Detector & Hex Viewer

Related guides

How to Verify a File Checksum (Step by Step) Confirm a download matches the publisher's hash so you know it arrived intact and untampered. Check Video Codec and Media Info Before You Re-encode When a video won't play on your TV or phone, the codec is usually why. Learn to read every detail of a media file: container, codec, bitrate, resolution, and audio.