class VirusTotalExtractor(FeatureExtractor):
def __init__(self, file, pefile_parsed=None, lief_parsed=None):
super().__init__(file, pefile_parsed, lief_parsed)
self.endpoint = Virustotal(API_KEY=VIRUSTOTAL_API_KEY)
def extract(self, **kwargs):
features = {}
# First hash the file so we don't re-request analysis on previously analyzed files
md5_hash = hashlib.md5(open(self.file, 'rb').read()).hexdigest()
# Should there be a delay before analysis_response?
analysis_response = self.endpoint.request("file/report", {
"resource": md5_hash
}).json()
# Send over the file if we don't have a response
if analysis_response["response_code"] == 0:
encoding = {
"file": (os.path.basename(self.file),
open(os.path.abspath(self.file), "rb"))
}
queue_response = self.endpoint.request("file/scan",
files=encoding,
method="POST").json()
analysis_response = self.endpoint.request(
"file/report", {
"resource": queue_response["resource"]
}).json()
# Features for each scanner
for scan in analysis_response['scans']:
features['virustotal_' +
scan] = analysis_response['scans'][scan]['detected']
# Total # of positives
features['virustotal_total_positives'] = analysis_response['positives']
for key, value in features.items():
features[key] = int(value)
return features
Retrieve information about a file from the VirusTotal API.
Documentation:
* v2 documentation - https://developers.virustotal.com/reference#file-report
* v3 documentation - https://developers.virustotal.com/v3.0/reference#file-info
"""
from virustotal_python import Virustotal
from pprint import pprint
API_KEY = "Insert API key here."
# The ID (either SHA-256, SHA-1 or MD5) identifying the file
FILE_ID = "9f101483662fc071b7c10f81c64bb34491ca4a877191d464ff46fd94c7247115"
# v2 example
vtotal = Virustotal(API_KEY=API_KEY)
resp = vtotal.request("file/report", {"resource": FILE_ID})
print(resp.response_code)
pprint(resp.json())
# v3 example
vtotal = Virustotal(API_KEY=API_KEY, API_VERSION="v3")
resp = vtotal.request(f"files/{FILE_ID}")
pprint(resp.data)
* v3 documentation - https://developers.virustotal.com/v3.0/reference#search-1
* https://developers.virustotal.com/v3.0/reference#metadata
"""
from virustotal_python import Virustotal
from pprint import pprint
API_KEY = "Insert API key here."
# The ID (either SHA-256, SHA-1 or MD5) identifying the file
FILE_ID = "9f101483662fc071b7c10f81c64bb34491ca4a877191d464ff46fd94c7247115"
# v3 examples
vtotal = Virustotal(API_KEY=API_KEY, API_VERSION="v3")
## Search the VirusTotal API for google.com
resp = vtotal.request("search", params={"query": "google.com"})
## Search the VirusTotal API for information related to Google's DNS (8.8.8.8)
resp = vtotal.request("search", params={"query": "8.8.8.8"})
## Search the VirusTotal API for a file ID
resp = vtotal.request("search", params={"query": FILE_ID})
## Search the VirusTotal API for the tag comment '#malicious'
resp = vtotal.request("search", params={"query": "#malicious"})
## Retrieve VirusTotal metadata
resp = vtotal.request("metadata")
## Print out a list of VirusTotal's supported engines
resp = vtotal.request("metadata")
engines_dict = resp.data["engines"]
print(engines_dict.keys())
response2 = requests.post(Url2, headers=headers2, data=payload2).json()
print("[+] Incident Details were received Successfully")
#Entities loading
Entities = response2["Tables"][0]["Rows"][0][21]
Parsed_Entities = json.loads(Entities)
print("[+] Entities were received Successfully")
for i in range(len(Parsed_Entities)):
if "Value" in Parsed_Entities[i]:
hash = Parsed_Entities[i]["Value"]
vtotal = Virustotal(API_KEY=VT_API_KEY, API_VERSION="v3")
"""
Public API constraints and restrictions
The Public API is limited to 500 requests per day and a rate of 4 requests per minute.
The Public API must not be used in commercial products or services.
The Public API must not be used in business workflows that do not contribute new files.
"""
VT_resp = vtotal.request(f"files/{hash}").json()
results = VT_resp["data"]["attributes"]["last_analysis_results"]
magic = VT_resp["data"]["attributes"]["magic"]
print("[+] The File Magic is: " + magic)
for key, value in results.items():
print("[+] " + value["engine_name"] + " - The scan result is: " +
str(value["result"]))
* v3 documentation - https://developers.virustotal.com/v3.0/reference#ip-addresses
"""
from virustotal_python import Virustotal
from pprint import pprint
API_KEY = "Insert API key here."
# Example IP address (Google DNS)
IP = "8.8.8.8"
# v2 examples
vtotal = Virustotal(API_KEY=API_KEY)
## Retrieve information about an IP address
resp = vtotal.request("ip-address/report", params={"ip": IP})
pprint(resp.json())
# v3 examples
vtotal = Virustotal(API_KEY=API_KEY, API_VERSION="v3")
# Retrieve information about an IP address
resp = vtotal.request(f"ip_addresses/{IP}")
# Retrieve objects (relationships) related to an IP address
# Retrieve historical_whois relationship to the IP address
# For other relationships, see the table at: https://developers.virustotal.com/v3.0/reference#ip-relationships
resp = vtotal.request(f"ip_addresses/{IP}/historical_whois")
# Retrieve communicating_files related to the IP address with a limit of 5
resp = vtotal.request(f"ip_addresses/{IP}/communicating_files",
params={"limit": 5})
elif args.depacify == True:
badURL = args.url
output = refang(badURL)
print("Here's the depacified link (be careful!):\n" + output)
exit()
#Runs a scan of VT DB and refangs the URL
elif args.vt == True:
badURL = args.url
output = refang(badURL)
try:
resp = vtotal.request("url/scan",
params={"url": output},
method="POST")
url_resp = resp.json()
scan_id = url_resp["scan_id"]
analysis_resp = vtotal.request("url/report",
params={"resource": scan_id})
jdata = analysis_resp.json()
#Next, we need to filter the information so that way we know whether or not a URL us malicious
#If positives are more than 0, then it outputs the reason for it being malicious
if jdata['positives'] > 0:
#Outputs how many positives are found out of the total scans
print(Fore.RED + "\nVirus Total has detected that " +
str(jdata['positives']) + " out of " + str(jdata['total']) +
" scan engines have detected this URL as malicious. \n")
# Example IP address (Google DNS)
IP = "8.8.8.8"
# Example ID of a graph
## NOTE: There are no comments on this graph so an empty list is returned
GRAPH_ID = "g70fae134aefc4e2f90f069aba47d15a92e0073564310443aa0b6ca3384f5240d"
# Example comment ID
COMMENT_ID = "f-9f101483662fc071b7c10f81c64bb34491ca4a877191d464ff46fd94c7247115-07457619"
# v2 examples
vtotal = Virustotal(API_KEY=API_KEY)
# Retrieve comments for a given file ID
resp = vtotal.request("comments/get", params={"resource": FILE_ID})
pprint(resp.json())
# Create a comment for a given file ID
resp = vtotal.request("comments/put", params={"resource": FILE_ID, "comment": "Wow, this looks like a #malicious file!"}, method="POST")
pprint(resp.json())
# v3 examples
vtotal = Virustotal(API_KEY=API_KEY, API_VERSION="v3")
## Retriving comments for resources
### Retrieve 10 comments for a file
resp = vtotal.request(f"files/{FILE_ID}/comments", params={"limit": 10})
### Retrieve 2 comments for a URL
"""
The examples in this file are for virustotal-python version >=0.1.0
Retrieve graphs and interact with them using the VirusTotal v3 API.
Documentation:
* v3 documentation - https://developers.virustotal.com/v3.0/reference#graphs-1
"""
from virustotal_python import Virustotal
from pprint import pprint
API_KEY = "Insert API key here."
# Example ID of a graph
GRAPH_ID = "g70fae134aefc4e2f90f069aba47d15a92e0073564310443aa0b6ca3384f5240d"
# v3 examples
vtotal = Virustotal(API_KEY=API_KEY, API_VERSION="v3")
## Retrieve 3 graphs from the VirusTotal v3 API
resp = vtotal.request("graphs", params={"limit": 3})
## Retrieve 3 graphs from the VirusTotal v3 API filtering by owner, order and attributes
resp = vtotal.request("graphs", params={"limit": 2, "filter": "owner:hugoklugman", "order": "views_count", "attributes": "graph_data"})
### Retrieve a graph using the graph's ID
resp = vtotal.request(f"graphs/{GRAPH_ID}")
# For more graph endpints, see https://developers.virustotal.com/v3.0/reference#graphs-1
# To create a graph, head to https://www.virustotal.com/graph/
from virustotal_python import Virustotal
import os.path
from pprint import pprint
from base64 import urlsafe_b64encode
API_KEY = "Insert API key here."
URLS = ["google.com", "wikipedia.com", "github.com", "ihaveaproblem.info"]
# v2 example
vtotal = Virustotal(API_KEY=API_KEY)
# Send the URLs to VirusTotal for analysis
# A maximum of 4 URLs can be sent at once for a v2 API request
resp = vtotal.request("url/scan",
params={"url": "\n".join(url)},
method="POST")
for url_resp in resp.json():
# Obtain scan_id
scan_id = url_resp["scan_id"]
# Request report for URL analysis
analysis_resp = vtotal.request("url/report", params={"resource": scan_id})
print(analysis_resp.response_code)
pprint(analysis_resp.json())
# v3 example
vtotal = Virustotal(API_KEY=API_KEY, API_VERSION="v3")
for url in URLS:
# Send the URL to VirusTotal for analysis
resp = vtotal.request("urls", data={"url": url}, method="POST")
Retrieve information about a domain from the VirusTotal API.
Documentation:
* v2 documentation - https://developers.virustotal.com/reference#domain-report
* v3 documentation - https://developers.virustotal.com/v3.0/reference#domain-info
"""
from virustotal_python import Virustotal
from pprint import pprint
API_KEY = "Insert API key here."
domain = "virustotal.com"
# v2 example
vtotal = Virustotal(API_KEY=API_KEY)
resp = vtotal.request("domain/report", params={"domain": domain})
print(resp.response_code)
pprint(resp.json())
# v3 example
vtotal = Virustotal(API_KEY=API_KEY, API_VERSION="v3")
resp = vtotal.request(f"domains/{domain}")
pprint(resp.data)
* v2 documentation - https://developers.virustotal.com/reference#file-scan
* v3 documentation - https://developers.virustotal.com/v3.0/reference#files-scan
"""
from virustotal_python import Virustotal
import os.path
from pprint import pprint
API_KEY = "Insert API key here."
# Declare PATH to file
FILE_PATH = "/path/to/file/to/scan.txt"
# Create dictionary containing the file to send for multipart encoding upload
files = {"file": (os.path.basename(FILE_PATH), open(os.path.abspath(FILE_PATH), "rb"))}
# v2 example
vtotal = Virustotal(API_KEY=API_KEY)
resp = vtotal.request("file/scan", files=files, method="POST")
print(resp.response_code)
pprint(resp.json())
# v3 example
vtotal = Virustotal(API_KEY=API_KEY, API_VERSION="v3")
resp = vtotal.request("files", files=files, method="POST")
pprint(resp.data)
* v3 documentation - https://developers.virustotal.com/v3.0/reference#collections
"""
from virustotal_python import Virustotal
from pprint import pprint
API_KEY = "Insert API key here."
# Example IP address (Google DNS)
IP = "8.8.8.8"
# v3 example
vtotal = Virustotal(API_KEY=API_KEY, API_VERSION="v3")
# Retrieve communicating_files related to the IP address with a limit of 5
resp = vtotal.request(f"ip_addresses/{IP}/communicating_files",
params={"limit": 2})
# Initialise count variable
count = 0
# While a cursor is present, keep collecting results!
while resp.cursor:
print(count)
print(f"This is the current: {resp.cursor}")
# Get more results with cursor
resp = vtotal.request(f"ip_addresses/{IP}/communicating_files",
params={
"limit": 2,
"cursor": resp.cursor
})
# Do something with the resp here