In Python, the python-magic module can be used to determine the file type. The installation of this module on Ubuntu Linux VM was covered in Chapter 1, Introduction to Malware Analysis. On Windows, to install the python-magic module, you can follow the procedure mentioned at https://github.com/ahupp/python-magic.

Once the python-magic is installed, the following commands can be used in the script to determine the file type:

$ python
Python 2.7.12 (default, Nov 19 2016, 06:48:10)
>>> import magic
>>> m = magic.open(magic.MAGIC_NONE)
>>> m.load()
>>> ftype = m.file(r'log.exe')
>>> print ftype
PE32 executable (GUI) Intel 80386, for MS Windows

To demonstrate the use of detecting file type, let's take an example of a file that was made to look like a Word document by changing the extension from .exe to .doc.exe. In this case, attackers took advantage of the fact that, by default, "Hide extension for known file types" is enabled in the "Windows folder view options"; this option prevents the file extension from being displayed to the user. The following screenshot shows the appearance of the file with "Hide extension for known file types" enabled:

Opening the file in the CFF Explorer reveals that it is a 32-bit executable file and not a word document, as shown here: