If you suspect files are compromised do not - ever - put them on a system you don’t want compromised.
If you’re trying to protect an install of Windows, you should never use that version of Windows to manage the file, not even to copy it.
The best way to handle a suspect file is using a Linux LiveCD or USB session. If the file is compromised, the changes don’t persist across power downs unless the attack is extremely sophisticated.
There are known exploits that detect and attempt to circumvent virtualization, and there are known bugs that allow processes in virtual machines to escape and access the host system.
Virtualization helps isolate things, but you should never count on it to do so. Especially if that VM is connected to a network or has a shared filesystem of any sort.
One thought I had was to break the file extensions, make any .PDF into .OLD so that way the files wouldn’t have a clear way to be opened or interacted with.
This is called “security by obscurity”, and it’s not actually security.
Windows is weird that it treats an identical file.jpg and file.txt differently because of the extension; other operating systems don’t do that. The files themselves contain encoding data to tell applications what type of files they are. Changing the file name doesn’t change that data, so applications (including malware) can still identify what they are.
Sophisticated malware hashes filenames anyway so that any filename or any filetype containing the payload will be used. Even some less-sophisticated malware does this to prevent two script kiddies who used the same exploit with different settings don’t clobber each other.
Can an infected file simply by existing on your computer, infect your computer?
Minimal risk, but there is still some.
In order to compromise your system, the infected file needs to be executed. On a minimal system with no unneeded services, the risk is minimal. On a bloated system with things like image thumbnailers, auto-start or auto-exec, or filesystem indexing services increase the chances that happens.
Malware frequently interferes with the boot process as well. If you’ve previously been compromised, there’s a chance that your infected file could be set to execute automatically.
Minimal risk, but not zero.
How common is highly infectious malware?
Highly infectious is very common. Hard to mitigate is much less common. I’ve seen dozens of machines compromised in seconds in a corporate office environment. Stuff likes to spread.
That particular attack was just a dumb script that barely tried to hide itself, so it was easy enough to correct, but it spread fast.
Governments are in the malware business now, too. They write the nastiest stuff. They’ve got the financing and power to use undisclosed vulnerabilities to drop payloads into the system board that persist across OS installs and drive swaps.
Casual users generally don’t get hit by that stuff, but it does happen now and then. If you or your devices work near anything of “strategic value”, the risk for that goes up substantially.
For the purposes of experimentation and better understanding I’d be interested in trying some professional tools and techniques to complete this task.
General purpose LiveCD/USB tools:
If you’re looking for a much more casual use tool, various anti-virus companies produce Linux LiveCDs for scanning Windows systems without actually booting the Windows system.
AVG (Looks dead, but docs still exist)