Take the Malicious Content IQ Test!

Some network security systems claim to to be able to identify malware automatically by running it in a highly instrumented, often virtualized "sandbox" environment and then monitoring its execution behavior for signs of malicious activity. Although this approach may work for some less sophisticated attacks, many modern attacks use sandbox-aware or VM-aware malcode that will simply "play dead" if it even suspects that it's being run in an unrealistic client environment, making it invisible to these systems.

But beyond just being paranoid about sandboxes, many of today's advanced threats deliberately require some kind of non-trivial human interaction before they will activate or exhibit any malicious behavior. Essentially they use a combination of social engineering, human factors psychology, and rapidly customized targeted malcode to implement a simple form of "Turing test" that makes it very difficult, if not impossible, for an automated execution engine to trigger the attack. These attacks are targeting the human, not the machine.

Each of the test files listed below contains a Microsoft Office file that simulates malicious behavior by "dropping" a file on the victim's disk when the victim takes some kind of action like clicking on or hovering over an image. The file that gets dropped is a perfectly safe little text file that does absolutely nothing at all. Although the program that drops the file doesn't do anything that's actually harmful, any executable content from an untrusted source that can do arbitrary file system operations on your computer should be considered potentially malicious.

Note: Although the test files below are not polymorphic, the idea here is that, in the wild, they would be embedded in a polymorphic delivery vehicle. So the objective of the test is to gauge the network security system's ability to find network sessions that contain malicious files, no matter how they are "packaged" or embedded. Finding the test files by "hashing" them and/or creating a static signature for each file doesn't count! In the future we may add a polymorphic file to the set of test files...

To test your network security system's Malicious Content IQ™:


Test Files

Set up your network security system, clear your browser's cache, and then click on each of the links below to download the test files.

  1. Microsoft Excel (.xls) File with Simulated Malicious Active Content
  2. Zipped Microsoft Excel (.xls) File with Simulated Malicious Active Content
  3. Microsoft PowerPoint (.ppt) File with Simulated Malicious Active Content
  4. Microsoft PowerPoint Show (.pps) File with Simulated Malicious Active Content
  5. RAR'd Microsoft PowerPoint Show (.pps) File with Simulated Malicious Active Content
  6. Microsoft Word (.doc) File with Simulated Malicious Active Content