Legend

There are many lists out there which enumerate bad, malicious, or potentially dangerous file extensions.
The list usually includes .exe, .dll, .docx, .zip, .iso and .html. But why are these file extensions dangerous? Are they all equally dangerous?
This website or list should give a more nuanced view on the whole problem. It is part of Windows Application Attack Surface Analyzer WAASA.

Category

A wide categorization of the extensions. Mostly for organizational purposes. Not strict, consumed by humans, informative.

Category Description Can execute?
Office Mostly MS Office related (.docx, .pptm) Yes: Makros, OLE
Executable Its a file intended to be executed, native code (.exe, .bat) Always
Script Its a file intended to be executed, interpreted code (.js, .vb) Usually
Code It has code, but cannot be executed by double clicking (.dll, .aspx) Never
System Windows related files without much details (can be executable, script, code...) Can
Document A document which cannot execute code (.rtf) Never
Archive File archive (.zip, .rar). Can usually execute code. Always
HTML Special case dedicated for HTML (.html, .htm). Can execute code by HTML Smuggling files Yes
Image Plain old images (.jpg, .gif) No

Exec

Is it possible to execute code when opened/clicked?
Or in other words, can it lead to initial access?

Note: For many of the more unknown/uncommon file extensions, it is not completely clear if code execution is possible.

MITRE Initial Access & Execution

MITRE Initial Access: Is the file extension being used for initial access? (Opinion based on CTI)
Currently, a lot of attacks involve .iso, .zip with a .exe or .bat. Also .docm has been widely used, now superseeded by .one. This is based on my own Cyber Threat Intelligence (CTI) gathering and common sense.

MITRE Execution: Is the file extension being used for execution?
This opinion is also based on CTI. For example threat actors like to chain .lnk, .bat, .js, .vbs and rundll to execute different parts of their execution chain.

Builtin

If its generally directly builtin into windows. Informative, unstable.
.exe is always builtin, .docm is an optional software.

YAML Specification

The YAML file contains more data than displayed currently.

Extension The file extension, with a dot (.exe)
Category Broad category of this file extension (Archive, Executable)
Description The file extension written out (.msi -> Windows Installer Package)
Confidence How much i'd trust ALL information in this extension description
"High" when written, "Low" when nothing is mentioned.
Common Is the file a common sight? (.docx yes, .pif no)
True if its common, default is False.
Exec Can the file be executed (.exe, .vb), or provides feature which can lead to execution? (.docm, .iso)
Or in other words, can this file be reasonably lead the user to execute attacker code? Default False.
Code The file contains code, which cannot be directly executed when clicking.
For example .dll, .aspx, .sh are typically harmless when clicked. Can be used for MITRE Execution. Default False.
MitreInitialAccess The extension is known to be used in real world attacks as initial access. Either "often" or "sometimes". Will be "no" if not set.
MitreExecution The extension is known to be used in real world attacks as execution. Either "often" or "sometimes". Will be "no" if not set.
WindowsBuiltin Does windows support it out of the box.
.docx will be a False, .zip will be a True. Default False.
Notes Notes about the exploitability, recommendations, hardening etc.
Container Set to true if it can contain other files (e.g. .zip, .iso, .docx).
Usually always executable. Default False.
BusinessCase Does a business case exist for this file extension?
.docx often has one, .pif not. Default False.

Source

Github Repo: dobin/badfiles
Waasa: dobin/waasa

Where is the data coming from?