What are sample files used for?

Sample files are used by developers, QA engineers, and designers to test file upload functionality, validate parsers, prototype applications, and verify format support. They provide well-formed examples of real file formats without sensitive data.

Are the sample files free to download?

Yes, all sample files on File Examples are completely free to download. No registration, no limits, and no hidden fees. You can use them for testing, development, and educational purposes.

What file formats are available?

File Examples offers 1000+ sample files in 700+ formats across 50 categories including documents, images, audio, video, code, scripting, AI/ML, blockchain, gaming, firmware, security, science, IoT, DevOps, medical, accessibility, automation, education, legal, API, localization, and many more.

Can I use these files for testing my application?

Absolutely. All files are well-formed, valid examples designed specifically for testing. They contain proper headers, metadata, and realistic content structures — ideal for QA testing, CI/CD pipelines, and development workflows.

How do I download a sample file?

Browse categories or search for a specific format, click on the file you need, and hit the Download button. The file downloads instantly — no signup or email required.

Critical severity

MIME Spoofing: Executable Disguised as PDF

An executable file (.exe) with its Content-Type header set to application/pdf, tricking browsers and email clients into treating it as a safe document.

How This Attack Works

MIME spoofing occurs when a file's declared Content-Type doesn't match its actual content. Attackers rename malicious executables with innocent extensions or serve them with misleading MIME types. If the receiving application trusts the MIME type without verifying magic bytes, it may execute or open the file unsafely.

Attack Vector

Email attachment with .pdf extension but executable content. Web download served with Content-Type: application/pdf but containing PE executable bytes.

Real-World Example

The Emotet trojan frequently used MIME-spoofed Office documents delivered via email. Attackers sent .doc files that were actually macro-enabled .docm files with malicious payloads.

Vulnerable Code

// UNSAFE: Trusting the file extension
const isPDF = file.name.endsWith('.pdf');
if (isPDF) {
  // Dangerous! File could be anything
  openDocument(file);
}

Safe Implementation

// SAFE: Verify magic bytes
const buffer = await file.slice(0, 4).arrayBuffer();
const bytes = new Uint8Array(buffer);
const isPDF = bytes[0] === 0x25 && bytes[1] === 0x50
           && bytes[2] === 0x44 && bytes[3] === 0x46; // %PDF
if (isPDF) {
  openDocument(file);
} else {
  reject("File content doesn't match PDF format");
}

Safe Handling Guidelines

Always verify file content by checking magic bytes, not just the extension or MIME type. Use libraries like file-type (Node.js) or python-magic to detect actual content. Reject files where declared type doesn't match detected type.

Affected Platforms

Email clientsWeb browsersFile upload APIsCMS platforms

Related Security Demos

Double Extension: document.pdf.exe

double-extension · critical

MIME Spoofing: SVG with Embedded JavaScript (XSS)

mime-spoofing · high

Related Tools & Resources

MIME Detector Checksum Generator Edge-Case Library Compatibility Matrix