MAEC 4.1 (Archive)

Note: MAEC Version 4.1 (Archive) is hosted on the MAEC Legacy Site, and all files linked to below will redirect there.

Release Notes

  • Added support for Cyber Observable eXpression (CybOX™) Version 2.1.
  • Added implementation of MAEC Capabilities, for capturing the set of high-level abilities that a malware instance may possess (please see the detailed release notes for details).
  • Added ability to “label” a Malware Subject with common terms, e.g., “worm”.
  • Added ability to capture details of configuration parameters used by a malware instance.
  • Added ability to capture details of the development environment used in the development of a malware instance.
  • Made numerous vocabulary updates, tweaks, and changes.
  • There are also full release notes available.


Schema Downloads

File Name Version Schema Documentation
All Files n/a zip n/a
All Files (offline, with examples and documentation) n/a zip n/a
MAEC Bundle 4.1 xsd html
MAEC Package 2.1 xsd html
MAEC Container 2.1 xsd html
MAEC Default Vocabularies 1.1 xsd html
MAEC Capabilities Hierarchy Diagram n/a n/a pdf

Current Release Examples

The variety of examples below for MAEC Version 4.1 illustrate the use of MAEC Bundles, Packages, and Containers, as well as the capture of specific malware-related attributes (e.g., clustering information, AV classifications, etc.).

IMPORTANT: While the examples on this page are sourced from real-world analysis reports, they should be considered illustrative examples only and should not be used in real-world operations.

File Name Description XML
All Files Archive of all v4.1 Release example files zip
Bundle Artifact Simple Bundle capturing network traffic information xml
Bundle AV Classifications Simple Bundle capturing Anti-Virus tool information xml
Bundle Candidate Indicator Demonstrates the basic construction of a Candidate Indicator entity within a Bundle xml
Bundle Dynamic Triage Tool Output Simple Bundle capturing dynamic analysis tool output xml
Bundle Network Behavior Simple Bundle capturing a network-based Behavior xml
Bundle Malicious Webpage Demonstrates the capture of the malicious aspects of a webpage xml
Bundle Object Re-use Demonstrates how Objects can be reused via ID references xml
Container Multiple Package Demonstrates the capture of multiple Packages using a Container xml
Package Action Equivalency Demonstrates the composition and use of an Action Equivalency entity in a Package xml
Package Capability Demonstrates the usage of Capabilities and Objectives in a Package, along with how they link up to Behaviors and Actions xml
Package Capability Snifula Provides a more detailed view of Capabilities and Objectives and their usage in characterizing a complex malware instance xml
Package Clustering Demonstrates how a Package can be used to capture a malware cluster (set of related malware) xml
Package Configuration Parameters Demonstrates how the configuration parameters of a Malware Subject can be characterized in a Package xml
Package Development Environment Demonstrates how the development environment of a Malware Subject entity can be characterized in a Package xml
Package Dynamic Triage Demonstrates how a Malware Subject entity in a Package can be used to capture multiple dynamic analysis tool outputs xml
Package Manual Analysis Demonstrates how a Malware Subject entity in a Package can be used to capture manual analysis tool output xml
Package Multi-Partite Malware Demonstrates how multi-partite malware may be captured as unique Malware Subject entities in a Package xml
Package Multiple Analysis Demonstrates how multiple analyses for the same Malware Subject (a Zeus binary) can be combined in a single Package using multiple Analysis entities xml
Package Static Triage Simple Package capturing basic static triage results xml

GitHub Repository Examples
The MAEC release examples, as well as examples provided by the MAEC Community, are provided at

STIX Examples
The Structured Threat Information eXpression (STIX™) Language can describe malware using MAEC characterizations through the use of a MAEC schema extension for the STIX TTP schema. See the “Malware Sample” in the STIXProject GitHub repository for an explicit example.

Cuckoobox Outputs
The MAEC release examples in the MAECProject GitHub repository contains example Cuckoobox outputs that were automatically generated and illustrate many of MAEC’s features.

MAEC Detailed Examples Document
The MAEC Detailed Examples Document provides comprehensive guidance on the creation of MAEC Package and Bundle documents in the context of static triage, dynamic triage, and manual analysis. Accordingly, it provides a detailed walk-through and description of a notional MAEC document for each such use case. Currently, this document is written against MAEC Version 4.0.1, though the concepts are almost completely compatible with MAEC Version 4.1.