The MalwareSubjectType captures all of the details pertaining to a single malware instance, including any corresponding Analyses, Field Data, Findings Bundles, and relationships to other Malware Subjects.
The required id field specifies a unique ID for this Malware Subject.
The Malware_Instance_Object_Attributes field characterizes the attributes of the malware instance object (most commonly a file) that is encompassed in the Malware_Subject, via its corresponding Cyber Observable eXpression (CybOX™) Object. For example, a file would be represented via a CybOX File field of type FileObj:FileObjectType and may have a file name, MD5 hash, etc.
The Label field specifies a single commonly accepted label to describe the Malware Subject, e.g., "worm". The default vocabulary for this field is the MalwareLabelVocab-1.0 from the MAEC Default Vocabularies schema. More than one label may be specified through the use of multiple instances of this field.
The Configuration_Details field captures details of the configuration specified for the Malware Subject, such as configuration parameters.
The Development_Environment field captures details of the development environment used in the creation of the malware instance characterized by the Malware Subject.
The Minor_Variants field captures any minor variants of the malware instance object, such as the same file but with different filenames.
The Field_Data field captures field data and prevalance information relating to the Malware Subject. It uses the fieldDataEntry type from the MMDEF v1.2 schema.
The Analyses field captures any Analyses (including their associated metadata such as tools used, etc.) that were performed on the Malware Subject.
The Findings_Bundles field specifies any MAEC Bundles pertaining to the Malware Subject, thus capturing any observed or discovered Behaviors, Actions, or Objects. These Bundles can either be abstract, or referenced as the result of an analysis that was performed on the malware.
The Relationships field captures any relationships between the Malware Subject and other Malware Subjects.
The Compatible_Platform field specifies a single platform that the Malware Subject is compatible with (i.e., can execute on). It uses the PlatformSpecificationType from the imported CybOX Common schema. More than one compatible platform can be specified by using multiple occurrences of this field.