login

How to better identify (weaponized) file formats with ftguess
.ical
2025-10-23 , Europe

Ftguess is an open-source tool designed to identify file formats in a more precise and robust way than traditional tools such as file/libmagic and TrID or even the recent Magika, especially in the context of malware detection and analysis. Indeed in some cases, those tools may be fooled by specially crafted files or polyglots.

Such tools are often used by malware detection and analysis platforms to decide how to process files. Malware may go undetected if the file format is wrongly identified, for example if a malicious PDF is processed as an innocuous HTML file.
Ftguess implements a new algorithm designed to overcome this issue.

This presentation will show several real cases of malware wrongly identified by malware analysis platforms, and how ftguess can be used to improve detection.

Most of the malware analysis and detection platforms like VirusTotal, MalwareBazaar or AssemblyLine rely on tools such as file/libmagic, TrID and Magika to identify the format of a file, in order to decide which tools and algorithms should be used to process the file. This approach works great in most cases, but once in a while we can observe wrong results.

When a file format is wrongly identified, automated analysis tools may not see the true nature of the file and fail to extract relevant information. In the worst case, a malicious file might bypass detection and reach its target without being blocked.

This happens mostly in two situations:
- When the file is a polyglot, which means it combines the structures of two or more different file formats in one;
- or when the file is malformed in a way to fool file/libmagic/TrID, while still being acceptable for its target application.

Several real-life cases will be demonstrated during the presentation.

In fact the main issue with file format identification tools including file/libmagic, TrID and Magika is that they rely solely on the content of the file to be analysed. Whereas, current operating systems such as Windows and GNU/Linux check the file extension to decide which application should open a file. Unlike other tools, ftguess takes into account both the file content and its extension to better identify the intended file format.

The speaker’s profile picture
Philippe Lagadec

Parsing weaponized file formats since 2000, author of oletools and olefile.
R&D and Product Manager at GLIMPS. Formerly at Quarkslab, ESA, NCIA and DGA.
https://linktr.ee/decalage