Magic Number / File Type Detector

Identify a file's true type from its magic bytes, not just its extension.

Free magic-number file type detector. Reads the first bytes of any file in your browser and matches them against dozens of signatures (PNG, JPEG, PDF, ZIP, ELF, MP4 and more), warning when the extension lies. No upload. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is a magic number?

A magic number is a short, fixed byte sequence at the start of a file that identifies its format, such as 89 50 4E 47 for PNG or 25 50 44 46 (%PDF) for PDF. It is far more reliable than the filename extension.

The filename extension is only a hint — anyone can rename invoice.pdf to invoice.jpg. The real identity of a file lives in its first few bytes, the magic number that nearly every binary format stamps at the start. This tool reads those bytes in your browser and tells you what a file truly is, then warns you if its extension is lying.

How it works

Most file formats begin with a fixed byte signature at a known offset. The detector reads the first 512 bytes of your file and compares them against a library of signatures, each defined as a hex pattern plus the offset where it must appear:

  • 89 50 4E 47 0D 0A 1A 0A at offset 0 is a PNG image.
  • FF D8 FF is a JPEG, 25 50 44 46 2D (%PDF-) is a PDF, and 50 4B 03 04 (PK..) is a ZIP container.
  • 7F 45 4C 46 is an ELF executable, 4D 5A (MZ) is a Windows PE, and 66 74 79 70 at offset 4 marks the MP4/ISO-BMFF family.

A signature can include wildcard bytes and can sit at a non-zero offset — TAR’s ustar marker, for instance, lives at offset 257. When the leading bytes match, the format, its MIME type and its typical extensions are reported.

Common magic number signatures

Hex bytesASCIIFormat
89 50 4E 47 0D 0A 1A 0A.PNG....PNG image
FF D8 FFÿØÿJPEG image
47 49 46 38GIF8GIF image
25 50 44 46 2D%PDF-PDF document
50 4B 03 04PK..ZIP / DOCX / XLSX / JAR / APK
7F 45 4C 46.ELFELF executable (Linux/Unix)
4D 5AMZWindows PE executable / DLL
52 49 46 46RIFFWAV or AVI (followed by type)
49 44 33ID3MP3 with ID3 tag
00 00 01 BA....MPEG video stream
66 74 79 70 at offset 4ftypMP4 / MOV / M4A (ISO-BMFF)
75 73 74 61 72 at offset 257ustarTAR archive
1F 8BGzip compressed data
42 5A 68BZhBzip2 compressed data
FD 37 7A 58 5A 00ý7zXZ.XZ compressed data

The ZIP family problem

One important subtlety: several modern file formats are secretly ZIP archives with different contents inside. A DOCX, XLSX, PPTX, ODP, JAR, APK, and EPUB all begin with PK (the ZIP magic bytes). The detector can tell you a file is a ZIP container, but distinguishing DOCX from XLSX requires reading the internal directory — which is beyond what a magic-byte check alone can do.

This means if you drop a DOCX file named report.xlsx, the detector will see ZIP bytes and report a ZIP family match. The extension mismatch warning tells you the claim doesn’t match the detected container type, but the specific Office format type requires deeper inspection.

Where this is useful in security work

Content-type spoofing is a real attack vector: a malicious actor renames an executable to .jpg hoping the receiving system will render it as an image. A magic number check at the server or client catches this. Similarly, file upload validators in web applications should never trust the extension alone — checking the magic bytes of uploaded files is a basic security hygiene step.

The mismatch warning is also useful in forensic and incident-response contexts: a directory full of files with mismatched extensions is a common indicator of data exfiltration attempts or file obfuscation. Only the first 512 bytes are read, entirely in your browser, so nothing is uploaded.

Why extension checks matter

Because some signatures are shared — a DOCX is really a ZIP, an APK is really a ZIP — a single magic number can map to several formats, and the tool lists them all. More importantly, it compares the detected type against the file’s actual extension. If you upload report.png and the bytes say it is a PDF, you get an explicit mismatch warning. That is useful for spotting renamed downloads, broken uploads, content-type spoofing in security work, and forensic triage. Only the first 512 bytes are read, entirely in your browser, so nothing is uploaded.