Malware Analysis v3 API

Malware Analysis V.3

The Malware Analysis v3 API call provides threat reports on an indicator generated by Malware Analysis.

Data Structure:

{
     "data": {
          "attributes": {},
          "communicating_files": [],
          "downloaded_files": [],
          "id": string,
          "links": {},
          "referrer_files": [],
          "resolutions": [],
          "siblings": [],
          "subdomains": [],
          "type": string,
          "urls": []
     }
}

Example:

Given an indicator of “moiparks.in”, Malware Analysis v3 will return the following:

{
"data": {
"attributes": {
"categories": {
"alphaMountain.ai": "Malicious"
},
"last_analysis_results": { "ADMINUSLabs": {
"category": "harmless", "engine_name": "ADMINUSLabs", "method": "blacklist", "result": "clean"
},...
},
"last_analysis_stats": { "harmless": 71,
"malicious": 4,
"suspicious": 1,
"timeout": 0,
"undetected": 9
},
"last_dns_records": [], "last_modification_date": 1617845258, "popularity_ranks": {},
"reputation": 0, "tags": [], "total_votes": { "harmless": 0,
"malicious": 0
},
"whois": "", "whois_date": 1600070810
},
"communicating_files": [
{
"attributes": { "capabilities_tags": [], "downloadable": true, "exiftool": {
"FileType": "RTF", "FileTypeExtension": "rtf", "MIMEType": "text/rtf"
},
"first_seen_itw_date": 1465386294,
"first_submission_date": 1465386468,
"last_analysis_date": 1620122891,
"last_analysis_results": { "ALYac": {
"category": "malicious", "engine_name": "ALYac", "engine_update":
"20210504",
"engine_version": "1.1.3.1",
"method": "blacklist", "result": "Trojan.RTF-COM-
Dropper.Gen"
},...
},
"last_analysis_stats": { "confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 37,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 15,
"undetected": 23
},
"last_modification_date": 1620130159,
"last_submission_date": 1526341830,
"magic": "Rich Text Format data, version 1, unknown character set",
"md5": "11c4c7cc2bbab51f6353ecbab4a34d68",
"meaningful_name": "SOA \u0026 payment copy.doc",
"names": [
"SOA \u0026 payment copy.doc", "SOA",
"sourcedoc1$"
],
"packers": {
"F-PROT": "appended"
},
"popular_threat_classification":
{
"popular_threat_category": [
{
"count": 16,
"value": "trojan"
},
{
"count": 8, "value": "dropper"
}
],
"popular_threat_name": [
{
"count": 3,
"value": "cve20151641"
},
{
"count": 2,
"value": "expl"
},
{
"count": 2,
"value": "mo97"
}
],
"suggested_threat_label": "trojan.cve20151641/expl"
},
"reputation": -4,
"rtf_info": { "document_properties": {
"custom_xml_data_propertie
s": 0,
"default_character_set":
"ANSI (default)",
"dos_stubs": 0,
"embedded_drawings": 0,
"embedded_pictures": 0, "longest_hex_string":
86779,
"non_ascii_characters":
293846,
"objects": [
{
"class": "otkloadr WRAssembly 1",
"type": "OLE control"
},
{
"class": "otkloadr WRAssembly 1",
"type": "OLE embedded"
},
{
"class":
"otkloadr WRAssembly 1",
"type": "OLE embedded"
}
],
"read_only_protection ": false,
"rtf_header": "rtf1", "user_protection":
false
}
},
"sandbox_verdicts": { "Lastline": {
"category": "malicious", "malware_classification":
[
"MALWARE"
],
"sandbox_name": "Lastline"
}
},
"sha1": "609a4c511be0e6042c94ff88c26b0acf19f7d a8c",
"sha256": "6cd6abeccf5e7f8507d209eafb8a1a77f2bd4 fe679dd633725759f0a7385500c",
"size": 761563,
"ssdeep": "12288:9v4VZv95bR7embfqQOK6wbVvqSGNImo dL48JkibF0eYGhpv6g:9yx9lRtnt5lpZF0rGd"
,
"tags": [
"ole-embedded", "exploit", "rtf",
"cve-2015-1641",
"ole-control"
],
"times_submitted": 14, "tlsh":
"T1CDF4CFA7034937C1DE9B5D71EF99B407490 5F0A3E6C90B24DBEFE0709BE612938B2A45",
"total_votes": { "harmless": 0,
"malicious": 1
},
"trid": [
{
"file_type": "Rich Text Format",
"probability": 100
}
],
"type_description": "Rich Text Format",
"type_extension": "rtf", "type_tag": "rtf", "unique_sources": 12, "vhash":
"8c37320968a225c52fb8344bd0bed6dc9"
},
"id": "6cd6abeccf5e7f8507d209eafb8a1a77f2bd4fe679 dd633725759f0a7385500c",
"links": {
"self": "https://www.virustotal.com/api/v3/files/6c d6abeccf5e7f8507d209eafb8a1a77f2bd4fe679dd6 33725759f0a7385500c"
},
"type": "file"
},...
],
"downloaded_files": [
{
"attributes": {
"autostart_locations": [
{
"entry": "C:\\WINDOWS\\winmain64.exe",
"location": "Task Scheduler"
},
{
"entry": "C:\\Windows\\winmain64.exe",
"location": "Task Scheduler"
}
],
"downloadable": true, "exiftool": { "FileType": "TXT",
"FileTypeExtension": "txt", "LineCount": 1, "MIMEEncoding": "us-ascii", "MIMEType": "text/plain", "Newlines": "(none)", "WordCount": 6
},
"first_submission_date": 1473369233,
"last_analysis_date": 1574853432,
"last_analysis_results": { "ALYac": {
"category": "undetected", "engine_name": "ALYac", "engine_update":
"20191127",
"engine_version": "1.1.1.5",
"method": "blacklist", "result": null
},...
},
"last_analysis_stats": { "confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 13,
"undetected": 57
},
"last_modification_date": 1620640787,
"last_submission_date": 1560296158,
"magic": "ASCII text, with no line terminators",
"md5": "43b31a333c9b78f0c53d0f392c233581",
"meaningful_name": "gate.php", "names": [
"gate.php",...
],
"reputation": 0, "sha1":
"5a6c92842517f32fc654fa90d1bb7aff59779 39e",
"sha256": "21f2049d5b7a94430621acbc5f6c467c134d3 68a2c69a8283cc08b1f6183962c",
"size": 15,
"ssdeep": "3:eXCRXn:e0n", "tags": [
"text"
],
"times_submitted": 90, "total_votes": { "harmless": 0,
"malicious": 0
},
"trid": [
{
"file_type": "file seems
to be plain text/ASCII", "probability": 0
}
},
"id":
],
"type_description": "Text", "type_extension": "txt", "type_tag": "text", "unique_sources": 11
"21f2049d5b7a94430621acbc5f6c467c134d368a2c 69a8283cc08b1f6183962c",
"links": {
"self": "https://www.virustotal.com/api/v3/files/21 f2049d5b7a94430621acbc5f6c467c134d368a2c69a 8283cc08b1f6183962c"
},
"type": "file"
},..
],
"id": "moiparks.in", "links": {
"self": "https://www.virustotal.com/api/v3/domains/moiparks.in "
},
"referrer_files": [], "resolutions": [
{
"attributes": {
"date": 1538837772,
"host_name": "moiparks.in", "ip_address": "69.64.147.10", "resolver": "VirusTotal"
},
"id": "69.64.147.10moiparks.in", "links": {
"self": "https://www.virustotal.com/api/v3/resoluti ons/69.64.147.10moiparks.in"
},
"type": "resolution"
},...
],
"siblings": [], "subdomains": [
{
"attributes": {
"categories": {
"Comodo Valkyrie Verdict": "media sharing",
"sophos": "malware callhome, command and control"
},
"last_analysis_results": { "ADMINUSLabs": {
"category": "harmless", "engine_name":
"ADMINUSLabs",
"method": "blacklist", "result": "clean"
},...
},
"last_analysis_stats": { "harmless": 74,
"malicious": 2,
"suspicious": 1,
"timeout": 0,
"undetected": 8
},
"last_dns_records": [], "last_modification_date":
1610393131,
"popularity_ranks": {}, "reputation": 0, "tags": [], "total_votes": { "harmless": 0,
"malicious": 0
},
"whois": ""
},
"id": "www.moiparks.in", "links": {
"self": "https://www.virustotal.com/api/v3/domains/ www.moiparks.in"
},
"type": "domain"
},...
],
"type": "domain", "urls": [
{
"attributes": {
"categories": {
"sophos": "malware callhome, command and control"
},
"first_submission_date": 1617845246,
"has_content": false, "html_meta": {}, "last_analysis_date": 1617845246, "last_analysis_results": {
"ADMINUSLabs": {
"category": "harmless",
"engine_name": "ADMINUSLabs",
"method": "blacklist", "result": "clean"
},...
},
"last_analysis_stats": { "harmless": 75,
"malicious": 1,
"suspicious": 0,
"timeout": 0,
"undetected": 9
},
"last_final_url": "https://moiparks.in/jack/admin.php",
"last_modification_date": 1617845256,
"last_submission_date": 1617845246,
"reputation": 0, "tags": [], "targeted_brand": {}, "threat_names": [
"C2/Generic-A"
],
"times_submitted": 1, "total_votes": { "harmless": 0,
"malicious": 0
},
"trackers": {}, "url":
"https://moiparks.in/jack/admin.php"
},
"context_attributes": { "url":
"https://moiparks.in/jack/admin.php"
},
"id": "fc9079b288905dab4db77984c4f8d78feacf015f99 26e0baeb0cfefc061693f1",
"links": {
"self": "https://www.virustotal.com/api/v3/urls/fc9 079b288905dab4db77984c4f8d78feacf015f9926e0 baeb0cfefc061693f1"
},
"type": "url"
},...
]
}

Back