Mimic — Browser File Scanner

1. Load Signature Databases

Drop signature files here or click to browse

.cvd .cld .hdb .hsb .ndb .ldb .mdb .msb .fp .sfp .cdb .cbc

If one-click fails (e.g. CORS): (1) Run ./scripts/zip-data.sh in crates/mimic-browser, then serve this app from that host so data/clamav-db.zip is same-origin; or (2) Drop clamav-db.zip (or individual .cvd files) in the zone above.

Downloading…

No signatures loaded

2. Scan Files

Drop files to scan or click to browse

Any file type

Plugins

Built-in by default: mimic-detect (exploit detection) and VirusTotal / mimic-vt (hash lookup). Everything runs in the browser.

mimic-detect only — scan without loading ClamAV or YARA

When enabled, you can scan files immediately using only exploit detection (no signature DB or YARA rules required).

mimic-detect

Exploit detection (DNG, RTF, TTF, PDF, RAR, ZIP) — always on.

Features & CVEs detected by mimic-detect

DNG (Digital Negative)

CVE-2025-43300: Apple RawCamera.bundle heap overflow (SamplesPerPixel vs JPEG Lossless SOF3 mismatch).
Related: Project Zero 442423708 (Android/Samsung Quram DNG exploit).

RTF (Rich Text Format)

CVE-2025-21298: Windows OLE Pres stream UAF (zero-click RCE).
CVE-2026-21509: Microsoft Office security feature bypass (malformed embedded OLE).

TTF/OTF (TrueType/OpenType)

CVE-2025-27363: FreeType GX/variable font subglyph OOB.
CVE-2023-41990: Apple ADJUST instruction (Operation Triangulation; fpgm/prep/glyf).

PDF

EXPMON 328131 (heuristic): Adobe Acrobat Reader PDF JavaScript abuse — privileged util / SOAP APIs (readFileIntoStream, RSS.addFeed, obfuscated stream-decode chains). See Haifei Li (Apr 2026).

RAR

CVE-2025-8088: WinRAR path traversal via Alternate Data Streams (ADS); malicious files in ADS extracted to arbitrary paths.

ZIP (Zombie ZIP)

CVE-2026-0866: Zombie ZIP — archive declares Method=0 (stored) while payload is DEFLATE-compressed (AV evasion).

VirusTotal / mimic-vt (optional API key)

Hash lookups run after each scan when key is set. Key is stored locally in this browser.

▼

YARA-like rules (optional)

Subset: strings with literal or hex, condition: any of them. Rules in the editor are applied automatically when you scan files; YARA results appear next to each sample. You can scan with YARA rules only (no ClamAV DB required).

No YARA rules applied

Run YARA on scanned samples

YARA rules from the editor are run automatically on each file when you scan. Click below to re-run the current rules on the same scanned files (e.g. after editing rules).