MalwareSubjectTypeMAEC Package Schema

The MalwareSubjectType captures all of the details pertaining to a single malware instance, including any corresponding Analyses, Field Data, Findings Bundles, and relationships to other Malware Subjects.

Field Name Type Description
@idrequired QName

The required id field specifies a unique ID for this Malware Subject.

Malware_Instance_Object_Attributes1..1 ObjectType

The Malware_Instance_Object_Attributes field characterizes the attributes of the malware instance object (most commonly a file) that is encompassed in the Malware_Subject, via its corresponding Cyber Observable eXpression (CybOXâ„¢) Object. For example, a file would be represented via a CybOX File field of type FileObj:FileObjectType and may have a file name, MD5 hash, etc.

Label0..n ControlledVocabularyStringType

The Label field specifies a single commonly accepted label to describe the Malware Subject, e.g., "worm". The default vocabulary for this field is the MalwareLabelVocab-1.0 from the MAEC Default Vocabularies schema. More than one label may be specified through the use of multiple instances of this field.

Configuration_Details0..1 MalwareConfigurationDetailsType

The Configuration_Details field captures details of the configuration specified for the Malware Subject, such as configuration parameters.

Development_Environment0..1 MalwareDevelopmentEnvironmentType

The Development_Environment field captures details of the development environment used in the creation of the malware instance characterized by the Malware Subject.

Minor_Variants0..1 MinorVariantListType

The Minor_Variants field captures any minor variants of the malware instance object, such as the same file but with different filenames.

Field_Data0..1 fieldDataEntry

The Field_Data field captures field data and prevalance information relating to the Malware Subject. It uses the fieldDataEntry type from the MMDEF v1.2 schema.

Analyses0..1 AnalysisListType

The Analyses field captures any Analyses (including their associated metadata such as tools used, etc.) that were performed on the Malware Subject.

Findings_Bundles0..1 FindingsBundleListType

The Findings_Bundles field specifies any MAEC Bundles pertaining to the Malware Subject, thus capturing any observed or discovered Behaviors, Actions, or Objects. These Bundles can either be abstract, or referenced as the result of an analysis that was performed on the malware.

Relationships0..1 MalwareSubjectRelationshipListType

The Relationships field captures any relationships between the Malware Subject and other Malware Subjects.

Compatible_Platform0..n PlatformSpecificationType

The Compatible_Platform field specifies a single platform that the Malware Subject is compatible with (i.e., can execute on). It uses the PlatformSpecificationType from the imported CybOX Common schema. More than one compatible platform can be specified by using multiple occurrences of this field.