Sunday, March 24, 2013

16,800 clean and 11,960 malicious files for signature testing and research.


Signature and security product testing often requires large numbers of sorted malicious and clean files to eliminate false positives and negatives. They are not always easy to find, but here are some that I have.

Clean documents are collected from various open sources. All the copyright rights belong the the authors of each document and file. You must not use the documents for their content but only as samples of particular file types.




Download all

             All files use the same password (scheme). Email me if you need the password. 
16,800 CLEAN FILES 

  1. EXE
    UTILITY FOR CLEAN EXE FILES
  2. XLS(X), DOC(X), RTF
    CLEAN MS OFFICE FILES AND RTF - 2000 FILES
  3. ZIP, 7Z, RAR
    CLEAN ARCHIVE FILES - 5500 FILES
  4. JAR
    CLEAN JAVA FILES - 100 FILES
  5. PDF
    PDF - 9000_files   and  PDF -100+with embed_3d_video_swf_ js
  6. MACH-O
    CLEAN OSX MACH-O FILES - 50 FILES
 11,960 MALICIOUS FILES

  1. PDF
    MALWARE PDF NEW -170 FILES MALWARE PDF PRE_04-2011_10982_files

  2. RTF, XLS
    MALWARE RTF_CVE-2010-3333_RTF_92files
    MALWARE_RTF_CVE-2012-0158_300_files
    MALWARE_ENCRYPTED_XLS_16files           
           
  3. MACH-O
    MALWARE_MACHO_OSX_100_FILES
  4. ELF
    MALWARE_ELF_LINUX_100_FILES
  5. JAR
  6. MALWARE JAVA (JAR) - 200 FILES


DETAILED LISTING OF CLEAN FILES 


1. WINDOWS EXECUTABLES
EXE
Windows executables. I am not posting any because you can quickly generate your own from any vm.
See exe collect utility by Stephan Chenette. https://github.com/IOActive/SearchAndCollect


2. CLEAN MS OFFICE FILES AND RTF - 2,000 FILES
DOC, DOCX, XLS, XLSX, RTF
RTF - 200_files
XLSX -100_files
XLS_300_files
DOCX_100_files
DOC_1300_files

3. CLEAN ARCHIVE FILES - 5,500 FILES
7z, ZIP, RAR
Encrypted and not.

7z_w_EXE+DLL_1000_files_nopass
RAR_EXE+DLL_1000_files_encryptedname_pass_123qwe
RAR_EXE+DLL_1000_files_pass_password123
RAR_OFFICE+PDF_500_files_pass_1234!@#$
ZIP_w_EXE+DLL_1000_files_nopass
ZIP_w_EXE+DLL_1000_files_pass_password123

P.S.  - please remove  _185-1 (86).rar  from RAR_OFFICE+PDF_500_files_pass_1234!@#$ as it is not clean, accidental sneak in. It was already removed in the current set.

4. CLEAN JAVA FILES - 100 FILES
JAR
CLEAN_JAR_100_files

5. CLEAN ADOBE READER FILES - 9,100 FILES
PDF
PDF - 9000_files
PDF -100+__embed_3d_video_swf_ js - clean pdf documents with special features - embedded javascript, 3d objects, flash, video, etc.

6. CLEAN OSX MACH-O FILES - 50 FILES

7. CLEAN ELF LINUX FILES - 46 FILES

These 4 files were removed as questionable (perl2elf utility with obfuscated perl code)
0fdb34f48166dae57ff410d723efd3f7  
4020b92f05661260f5ed3fe642eb0ace  
a1faa486be2303697d13d26cca576f27  
f7536bb412d6c4573fd6fd819e1b07bb  




DETAILED LISTING OF MALICIOUS FILES


1. MALWARE ADOBE READER FILES -11,152 FILES
PDF

PDF-XDP _3files
CVE-2013-0640_PDF_21files
CVE-2012-0754_PDF_1file
CVE-2011-2462_PDF_25files
CVE-2010-0188_PDF_49files
CVE_2010-2883_PDF_25files
MALWARE_PDF_PRE_04-2011_10982_files - files from web exploit packs - older than April 2011.


2. MALWARE MS OFFICE AND RTF FILES - 
RTF, XLS
MALWARE RTF_CVE-2010-3333_RTF_92files
MALWARE_RTF_CVE-2012-0158_300_files
MALWARE_ENCRYPTED_XLS_16files  - CVE-2012-0158

3. MALWARE_MACHO_OSX_100_FILES

4. MALWARE_ELF_LINUX_100_FILES  

5. MALWARE JAVA (JAR) - 200 FILES

4 comments:

  1. If you find yourself in need of more documents, you may want to check out the 'govdocs' corpus - it is just about 1 million files and is unencumbered with regard to distribution. (on digitalcorpora.org)

    I do forensics research and big sources of ground truth are very helpful for tool building.

    ReplyDelete
  2. what's the password?

    ReplyDelete
  3. Nice Collection .
    Try to contact for password , but no answer !!

    ReplyDelete
  4. Thanks for providing the psw so quick!

    ReplyDelete