What are sample files used for?

Sample files are used by developers, QA engineers, and designers to test file upload functionality, validate parsers, prototype applications, and verify format support. They provide well-formed examples of real file formats without sensitive data.

Are the sample files free to download?

Yes, all sample files on File Examples are completely free to download. No registration, no limits, and no hidden fees. You can use them for testing, development, and educational purposes.

What file formats are available?

File Examples offers 1000+ sample files in 700+ formats across 50 categories including documents, images, audio, video, code, scripting, AI/ML, blockchain, gaming, firmware, security, science, IoT, DevOps, medical, accessibility, automation, education, legal, API, localization, and many more.

Can I use these files for testing my application?

Absolutely. All files are well-formed, valid examples designed specifically for testing. They contain proper headers, metadata, and realistic content structures — ideal for QA testing, CI/CD pipelines, and development workflows.

How do I download a sample file?

Browse categories or search for a specific format, click on the file you need, and hit the Download button. The file downloads instantly — no signup or email required.

Critical severity

Right-to-Left Override: Filename Direction Trick

A filename containing the Unicode Right-to-Left Override character (U+202E) that reverses the visual display of the extension, making 'photo[RLO]gnp.exe' appear as 'photoexe.png'.

How This Attack Works

The Unicode RTLO character (U+202E) reverses the visual rendering direction of subsequent characters. Attackers insert it before a reversed dangerous extension, making the filename appear to have a safe extension. The actual file extension remains dangerous.

Attack Vector

File named 'report\u202Efdp.exe' displays as 'reportexe.pdf' in file managers. User sees .pdf extension and opens it. The actual extension is .exe.

Real-World Example

The Unitrix attack technique has been used by APT groups including Turla and APT28. It was also found in Telegram and WhatsApp file sharing vulnerabilities.

Safe Implementation

// SAFE: Strip bidirectional control characters
function sanitizeFilename(name: string): string {
  return name.replace(/[\u200E\u200F\u202A-\u202E\u2066-\u2069]/g, '');
}

Safe Handling Guidelines

Strip all Unicode bidirectional control characters (U+200E, U+200F, U+202A-U+202E, U+2066-U+2069) from filenames. Validate the actual byte-level extension, not the displayed name.

Affected Platforms

Windows ExplorermacOS FinderEmail clientsMessaging appsFile managers

Related Security Demos

Double Extension: document.pdf.exe

double-extension · critical

MIME Spoofing: Executable Disguised as PDF

mime-spoofing · critical

Related Tools & Resources

MIME Detector Checksum Generator Edge-Case Library Compatibility Matrix