Open gtback opened 10 years ago
A CHM file has a unique structured format that has been documented by a few unofficial sources (here's a starting point - http://en.wikipedia.org/wiki/Microsoft_Compiled_HTML_Help). It is effectively an LZX archive that contains a number of control/configuration files and html files. In the case of a malicious CHM, it may also contain a malicious .exe and some scripting to get it to execute. Before deciding to break this off as a unique object, it would probably make sense to look into and understand the file format.
Agreed, I'm guessing that this was requested mostly because of the format's use in distributing malware, so there's not much needed except for the fact that it "Contains" an .exe, which can already be represented by the current relationships.
I'd say this is pretty low-priority then.
Depends on #315
Context: This would support use cases related to digital forensics, as well as the capture of properties of malicious CHM files (i.e. in MAEC), and indicators that may be associated with such files (i.e. in STIX).
LOE: High
Form #1