Spoofing file extensions with the Unicode Character ‘RIGHT-TO-LEFT OVERRIDE’ (U+202E)

One of the more interesting things Windows does is support for Right-To-Left characters. This can be a useful tool to hide the real file extension of a document. By simply inserting the unicode character U+202E you can partially reverse the file name of a document and hide it’s real extension.

This website allows you to copy the unicode character into your clipboard.

You can easily turn any executable into any file format of your choice. For example, a payload executable with an Excel icon and extension:

The character has been inserted into a filename of docxslx.exe – Inserting the character before the x character will turn this into docexe.xlsx and appear that way even with windows file extensions enabled.

If you right click and Properties on the file though; you will still see it’s original type listed as Application and not an Excel document. But without looking any further, this method would fool users at first glance, it could even go as far as actually launching Excel once it’s been clicked so that the target thinks it’s a blank document.

Leave a Comment