Frankly, I cannot provide specific details about what Gmail looks for because I don't know the details. But I've run into that problem enough (with Gmail and also with a corporate IT managed Exchange server) to get a feel for when I can expect it.
The file extension in the attachment name is the largest predictor.
I don't even bother attaching anything with the extensions: BAT, BAS, VBS,, JS, JVS, or HTA because I cannot count on them showing up and I won't get a delivery failure notice. This also happens with macro enabled files, XLSM, DOCM, XLAM, DOTM, etc.
At least some portion of the contents of the attachment are scanned too. Or, at least, that is the nference I make when I change the extension to TXT and the file doesn't show up. I can't say specifically if they are scanning a file and putting context to words or if they are matching patterns that indicate the actual file type. The later seems more practical considering possible resource or legal constraints.
Compressed archives aren't a sure thing either. In this case, I feel nearly certain the table of contents is being scanned and not the full archive. This could add weight to a theory that the full contents of a file are not scanned but that doesn't make it a fact. Zip files have always been hard for antivirus software to handle and reading the file names seems like low hanging fruit; in other words, scanning the body and putting context to contents remains a logical possibility.
Changing the file extension before adding the file to a compressed archive is my standard "go to". I do not believe I've had a file intercepted this way but the increasing weaponization of Zip files, it may only be a matter of time before this this stops working.
