16,800 clean and 11,960 malicious files for signature testing and research.

Signature and security product testing often requires large numbers of sorted malicious and clean files to eliminate false positives and negatives. They are not always easy to find, but here are some that I have.

Clean documents are collected from various open sources. All the copyright rights belong the the authors of each document and file. You must not use the documents for their content but only as samples of particular file types.

DarkSeoul - Jokra - MBR wiper samples

If all you needed for happiness is to destroy a few virtual machines, here are the samples for today's headline maker.
The malware overwrites master boot record (MBR) as described here:
* Trojan.Jokra - Symantec
* DarkSeoul: SophosLabs identifies malware used in South Korean internet attack
* South Korean Banks, Media Companies Targeted by Destructive Malware - McAfee
* South Korean Banks and Broadcasting Organizations Suffer Major Damage from Cyber Attack - Symantec.

Mandiant APT1 samples categorized by malware families

Update: May 19, 2018
APT 1 resources
Threat Actor aliases:
Comment Crew, Comment Panda, PLA Unit 61398, TG-8223, APT 1,           BrownFox,Group 3,GIF89a, ShadyRAT, Shanghai Group, Byzantine Candor

http://apt.threattracking.com

• 2010_11_Fireeye_VinSelf - A new backdoor in town! « VinSelf - A new backdoor in town! _ FireEye Inc.pdf
• 2010_12_Guardian_WikiLeaks cables reveal fears over Chinese cyber warfare _ US news _ The Guardian.pdf
• 2011_08_Ira Winkler_ Shady Rat Case Shows Vendors As Big a Problem As APT Itself _ CIO.pdf
• 2011_08_Kaspersky's Thoughts on Operation Shady Rat _ Nota Bene_ Eugene Kaspersky's Official Blog.pdf
• 2011_10_SANS_detailed-analysis-advanced-persistent-threat-malware-33814.pdf
• 2011_Mcafee-operation-shady-rat1.pdf
• 2012_06_Bloomberg_Hackers Linked to China’s Army Seen From EU to D.C. - Bloomberg.pdf
• 2013_02_NYTimes_China’s Army Is Seen as Tied to Hacking Against U.S.pdf
• 2013_03_Fireeye_TABMSGSQL and 44 WEBC2-YAHOO_The Dingo and the Baby « The Dingo and the Baby _ FireEye Inc.pdf
• 2013_05_Fireeye_APT1 Three Months Later.pdf
• 2013_05_Mandiant-APT1_Exposing One of China’s Cyber Espionage Units.pdf
• 2014_05_Fireeye_The PLA and the 8_00am-5_00pm Work Day_ FireEye Confirms DOJ's Findings on APT1 Intrusion Activity « The PLA and the 8_00am-5_00pm Work Day_ FireEye Confirms DOJ's Findings on APT1 Intrusion Activity _ FireEye Inc.pdf
• 2014_06_Crowdstrike_Hat-tribution to PLA Unit 61486 ».pdf
• 2014_12_Vinself now with steganography - Airbus CyberSecurity.pdf
• 2016_BANGAT_malware-signatures_bangat.yara at master · citizenlab_malware-signatures.pdf
• GIF89a_Vinselfdecoder_malwaretracker.com_ Command and Control Decoder - Vinself Trojan.pdf
• PLA Unit 61398 _ Council on Foreign Relations Interactives.pdf

These are the samples described in the Mandiant Report APT1, in the Indicators of Compromise (IOCs). Each file is named according to the malware family, so you can run your own detection and signature tools to see how your naming convention corresponds to the one used by Mandiant.

You can use these binaries to develop signatures, compare to your samples, or study the behavior and evolution of APT1.
I added Contagio samples in several families as well.
The list of binaries and their names, as well as malware families descriptions are provided below for your convenience.