The filename extension is only a hint — anyone can rename invoice.pdf to invoice.jpg. The real identity of a file lives in its first few bytes, the magic number that nearly every binary format stamps at the start. This tool reads those bytes in your browser and tells you what a file truly is, then warns you if its extension is lying.
How it works
Most file formats begin with a fixed byte signature at a known offset. The detector reads the first 512 bytes of your file and compares them against a library of signatures, each defined as a hex pattern plus the offset where it must appear:
89 50 4E 47 0D 0A 1A 0Aat offset 0 is a PNG image.FF D8 FFis a JPEG,25 50 44 46 2D(%PDF-) is a PDF, and50 4B 03 04(PK..) is a ZIP container.7F 45 4C 46is an ELF executable,4D 5A(MZ) is a Windows PE, and66 74 79 70at offset 4 marks the MP4/ISO-BMFF family.
A signature can include wildcard bytes and can sit at a non-zero offset — TAR’s ustar marker, for instance, lives at offset 257. When the leading bytes match, the format, its MIME type and its typical extensions are reported.
Common magic number signatures
| Hex bytes | ASCII | Format |
|---|---|---|
89 50 4E 47 0D 0A 1A 0A | .PNG.... | PNG image |
FF D8 FF | ÿØÿ | JPEG image |
47 49 46 38 | GIF8 | GIF image |
25 50 44 46 2D | %PDF- | PDF document |
50 4B 03 04 | PK.. | ZIP / DOCX / XLSX / JAR / APK |
7F 45 4C 46 | .ELF | ELF executable (Linux/Unix) |
4D 5A | MZ | Windows PE executable / DLL |
52 49 46 46 | RIFF | WAV or AVI (followed by type) |
49 44 33 | ID3 | MP3 with ID3 tag |
00 00 01 BA | .... | MPEG video stream |
66 74 79 70 at offset 4 | ftyp | MP4 / MOV / M4A (ISO-BMFF) |
75 73 74 61 72 at offset 257 | ustar | TAR archive |
1F 8B | .· | Gzip compressed data |
42 5A 68 | BZh | Bzip2 compressed data |
FD 37 7A 58 5A 00 | ý7zXZ. | XZ compressed data |
The ZIP family problem
One important subtlety: several modern file formats are secretly ZIP archives with
different contents inside. A DOCX, XLSX, PPTX, ODP, JAR, APK, and EPUB all begin
with PK (the ZIP magic bytes). The detector can tell you a file is a ZIP container,
but distinguishing DOCX from XLSX requires reading the internal directory — which is
beyond what a magic-byte check alone can do.
This means if you drop a DOCX file named report.xlsx, the detector will see ZIP
bytes and report a ZIP family match. The extension mismatch warning tells you the
claim doesn’t match the detected container type, but the specific Office format type
requires deeper inspection.
Where this is useful in security work
Content-type spoofing is a real attack vector: a malicious actor renames an
executable to .jpg hoping the receiving system will render it as an image. A magic
number check at the server or client catches this. Similarly, file upload validators
in web applications should never trust the extension alone — checking the magic bytes
of uploaded files is a basic security hygiene step.
The mismatch warning is also useful in forensic and incident-response contexts: a directory full of files with mismatched extensions is a common indicator of data exfiltration attempts or file obfuscation. Only the first 512 bytes are read, entirely in your browser, so nothing is uploaded.
Why extension checks matter
Because some signatures are shared — a DOCX is really a ZIP, an APK is really a ZIP — a single magic number can map to several formats, and the tool lists them all. More importantly, it compares the detected type against the file’s actual extension. If you upload report.png and the bytes say it is a PDF, you get an explicit mismatch warning. That is useful for spotting renamed downloads, broken uploads, content-type spoofing in security work, and forensic triage. Only the first 512 bytes are read, entirely in your browser, so nothing is uploaded.