Malware researchers frequently seek malware samples to analyze threat techniques and develop defenses. In addition to downloading samples from known malicious URLs, researchers can obtain malware samples from the following free sources:

• ANY.RUN: Registration required
• Contagio Malware Dump: Curated, password required
• CAPE Sandbox: Registration required
• Das Malwerk
• Hatching Triage: Registration required
• Hybrid Analysis: Registration required
• InQuest Labs: Registration required
• InQuest Malware Samples on GitHub
• KernelMode.info: Registration required
• MalShare: Registration required
• MalwareBazaar
• MalwareSamples Malware-Feed: Curated
• Malware DB
• Objective-See Collection: Mac malware
• PacketTotal: Malware inside downloadable PCAP files
• PhishingKitTracker: Phishing sites source code
• PolySwarm: Registration required
• SNDBOX: Registration required
• SoReL-20M: 10M defanged malware samples (see notes)
• theZoo aka Malware DB
• URLhaus: Links to live sites hosting malware
• VirusBay: Registration required
• VirusShare: Registration required
• VirusSign: Registration required
• Virus and Malware Samples: Includes APT, registration required
• vx-underground
• Yomi: Registration required

Be careful not to infect yourself when accessing and experimenting with malicious software.

My other lists of online security resources outline Automated Malware Analysis Services and On-Line Tools for Malicious Website Lookups. Also, take a look at tips sharing malware samples with other researchers.