Static IOC extraction engine for binaries, text, and logs.
Project description
malx‑ioc‑extractor
Static IOC extraction for binaries, text, and artifacts — fast, safe, and open‑source.
malx‑ioc‑extractor is a lightweight, extensible engine for extracting Indicators of Compromise (IOCs) using pure static analysis. No execution. No sandboxing. No risk. Built for DFIR workflows, SOC automation, and large‑scale threat analysis.
It’s designed to be:
- Safe — never executes untrusted code
- Fast — built for automation and pipelines
- Extensible — plug in your own regexes, parsers, and rules
- Developer‑friendly — clean API, CLI, and examples
- Open‑source — the extraction engine is free; enrichment lives in the MalX cloud platform
This project is the foundation of the MalX Labs ecosystem for scalable, modern threat‑analysis tooling.
Features
IOC Extraction
- Windows PE files (.exe, .dll)
- Raw text
- Extracted strings from binaries
- Caching for increased performance
Detections
- URLs
- Domains
- IPv4 / IPv6 addresses
- File paths
- Hashes (MD5 / SHA1 / SHA256 / SHA512 / Generic Hex)
- Email addresses
- Base64
Static PE Parsing
- Imports
- Sections
- Resources
- Metadata
Developer‑Friendly
- Clean JSON output
- CLI + Python API
- Modular, extensible rule system
- Minimal dependency footprint
Security‑First
- Zero malware execution
- Safe for untrusted input
- Deterministic behaviour
Why Static Only?
Static analysis ensures safety, determinism, and CI‑friendly operation. No sandboxing, no execution, and no risk of triggering malware behaviour.
Quickstart
Install
pip install iocx
Extract IOCs from a file
iocx suspicious.exe
Extract from text
echo "Visit http://bad.example.com" | iocx -
Python API
from iocx import extract
results = extract("suspicious.exe")
print(results)
Example Output
{
"file": "suspicious.exe",
"type": "PE",
"iocs": {
"urls": ["http://malicious.example.com"],
"domains": ["malicious.example.com"],
"ips": ["45.77.12.34"],
"hashes": ["d41d8cd98f00b204e9800998ecf8427e"],
"emails": [],
"filepaths": [
"c:\\windows\\system32\\cmd.exe",
"d:\\temp\\payload.bin"
],
"base64": []
},
"metadata" : {
"file_type": "PE",
"imports": [
"KERNEL32.dll",
"msvcrt.dll"
],
"sections": [
".text",
".data",
".rdata",
".pdata",
".xdata",
".bss",
".idata",
".CRT",
".tls",
".reloc",
"/4",
"/19",
"/31",
"/45",
"/57",
"/70",
"/81",
"/97",
"/113"
],
"resource_strings": []
}
}
Architecture
malx-ioc-extractor/
│
├── examples/ # Sample files + generators
├── tests/ # Unit and integration tests
├── iocx
├── extractors/ # Regex-based IOC detectors
├── parsers/ # PE parsing, string extraction
├── validators/ # Normalisation + dedupe
├── cli/ # Command-line interface
The engine is intentionally modular so components can be extended or replaced easily.
Extending the Engine
You can add custom:
- Regex detectors
- File parsers
- Normalisation logic
Register a custom detector
The second argument is a detector function (a callable that receives the input and returns extracted values):
from iocx.detectors import register_detector
def extract(data):
# custom extraction logic here
return ["wallet123"]
register_detector("crypto_wallet", extract)
Safe Testing (No Malware Required)
All test samples are:
- Synthetic
- Benign
- Publicly safe (EICAR, GTUBE)
- Designed to avoid accidental malware handling
Contributing
We welcome:
- New IOC detectors
- Parser improvements
- Bug reports
- Documentation updates
- Synthetic test samples
See CONTRIBUTING.md for full guidelines.
Security
If you discover a security issue, do not open a GitHub issue. Please follow the instructions in SECURITY.md.
Related Projects (MalX Labs)
- malx-core — foundational primitives
- malx-utils — shared utilities
- malx-sandbox — dynamic analysis environment
- malx-forge — adversarial payload tooling
- malx-archive — research + PoCs
License
Licensed under the MIT License. See LICENSE for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file iocx-0.1.0.tar.gz.
File metadata
- Download URL: iocx-0.1.0.tar.gz
- Upload date:
- Size: 15.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9ff9c4c30eaa464c97329bb9f3aed0bbe54daff247c0270b86b334c719296d9d
|
|
| MD5 |
5019a44bbdf48481a93b67c2dd207c3c
|
|
| BLAKE2b-256 |
c866d14437de431d38b09df9b4cf4a1199a44f9cee335a928a8a1ccbf337b876
|
File details
Details for the file iocx-0.1.0-py3-none-any.whl.
File metadata
- Download URL: iocx-0.1.0-py3-none-any.whl
- Upload date:
- Size: 18.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cb1e25ebf75fc4ac94640dd7baad24f3b30cf670be82af41c2dbb70e9f19f903
|
|
| MD5 |
728450b4671533ba6b9a5dc9a61c9de2
|
|
| BLAKE2b-256 |
156045689400fcef05d33a47bda431d870af3e7c1f9fda81c0e48abe7735065c
|
