VirusTotal
VirusTotal
One-liner: Free online service that analyzes files, URLs, IPs, and domains using 70+ antivirus engines and threat intelligence feeds.
🎯 What Is It?
VirusTotal is a crowd-sourced malware analysis platform acquired by Google (Chronicle) that aggregates results from dozens of antivirus scanners, URL/domain blacklists, and file analysis tools. It's a first-stop resource for Malware Analysis, threat intel, and SOC analysts investigating suspicious artifacts.
Website: https://www.virustotal.com
🛠️ Core Features
1. File Analysis
Upload files (max 650MB) for scanning.
What it checks:
- 70+ antivirus engines (Windows Defender, Kaspersky, CrowdStrike, etc.)
- File metadata (EXIF Metadata, PE headers)
- Behavioral analysis (sandbox execution)
- Digital signatures
- Packer detection (UPX, Themida)
- YARA rules (Yara)
Example:
# Calculate hash first
sha256sum suspicious.exe
# 5d41402abc4b2a76b9719d911017c592
# Search on VirusTotal by hash (no need to upload if already scanned)
2. URL/Domain Analysis
Check URLs, domains, and IPs for malicious activity.
What it checks:
- URL/domain blacklists (Google Safe Browsing, Phishtank)
- Historical DNS records
- WHOIS information (WHOIS)
- Associated files/samples
- SSL certificate details
- Passive DNS
Example:
URL: http://malicious-site.com/payload.exe
Detection: 45/90 security vendors flagged as malicious
Category: Trojan downloader
3. IP Address Lookup
Investigate IPs for malicious infrastructure.
What it provides:
- Geolocation
- ASN information
- Associated domains
- Historical malware communications
- Reputation score
4. Behavior Analysis (Sandbox)
For executable files, VirusTotal runs dynamic analysis:
- Process creation tree
- Registry modifications
- Network connections (IPs, domains)
- File system changes
- Mutex creation
Output Example:
Process: malware.exe
├─ Creates: C:\Users\Admin\AppData\Roaming\update.exe
├─ Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
├─ Network: 192.168.1.100:8080 (C2 server)
└─ DNS Query: evil-c2.com
5. Community & Threat Intel
- User comments and analysis notes
- MITRE ATT&CK technique mapping
- Relationship graphs (files → IPs → domains)
- Crowdsourced threat intelligence
📊 Detection Ratio
Example: 45/70 engines detected malware
↑ ↑
Detections Total Engines
Interpretation:
- 0/70 — Likely clean (or zero-day)
- 1-5/70 — Possible False Positive, less common malware, or very new
- 20+/70 — Definitely malicious
- 60+/70 — Well-known, widely detected malware
Warning: 0 detections ≠ safe!
- New/custom malware may not be detected
- Zero-day exploits
- Fileless malware
🔑 VirusTotal API
For automation and integration.
API Endpoints
# File hash lookup
curl --request GET \
--url https://www.virustotal.com/api/v3/files/{hash} \
--header 'x-apikey: YOUR_API_KEY'
# URL scan
curl --request POST \
--url https://www.virustotal.com/api/v3/urls \
--header 'x-apikey: YOUR_API_KEY' \
--form 'url=http://example.com'
# Domain lookup
curl --request GET \
--url https://www.virustotal.com/api/v3/domains/evil.com \
--header 'x-apikey: YOUR_API_KEY'
Rate Limits
- Public API: 4 requests/minute
- Premium API: 1000+ requests/minute
Python Example
import requests
api_key = "YOUR_API_KEY"
file_hash = "5d41402abc4b2a76b9719d911017c592"
url = f"https://www.virustotal.com/api/v3/files/{file_hash}"
headers = {"x-apikey": api_key}
response = requests.get(url, headers=headers)
data = response.json()
print(f"Detections: {data['data']['attributes']['last_analysis_stats']['malicious']}/70")
💡 Use Cases
1. Malware Analysis
1. Receive suspicious .exe from phishing email
2. Upload to VirusTotal
3. Check detection ratio: 52/70 (malicious)
4. Review behavioral analysis: Creates persistence, contacts C2
5. Extract IOCs: IPs, domains, file hashes
6. Share with team
2. Threat Intelligence
- Pivot from file hash → related IPs/domains
- Track threat actor infrastructure
- Monitor for new samples in malware campaigns
3. Incident Response
- Quickly triage suspicious files during investigation
- Validate if artifact is known malware
- Extract network IOCs for blocking
4. Alert Triage
Alert: Suspicious file downloaded from email
File Hash: abc123...
VirusTotal: 0/70 detections
→ Upload for behavioral analysis
→ Review sandbox results
→ Determine if malicious or FP
⚠️ Operational Security Considerations
🚫 Do NOT upload:
- Proprietary/confidential files
- Customer data
- Unreleased research
- Sensitive documents
Why?
- All uploads are publicly searchable
- Accessible to anyone with link/hash
- Intelligence agencies, threat actors monitor VirusTotal
- Can burn investigation (attacker sees you uploaded their malware)
✅ Safe practices:
- Use hash lookups instead of uploading (if hash exists)
- Use VirusTotal Intelligence (premium, private uploads)
- Hash files locally first:
sha256sum file.exe # Search VT by hash (no upload needed) - For sensitive files, use private sandboxes (Cuckoo, ANY.RUN)
🔍 Advanced Features (Premium)
VirusTotal Intelligence
- Private file uploads
- Advanced search (YARA, behavioral traits)
- Hunting rules
- Retroactive detection (notifications for old files)
VirusTotal Graph
- Visual relationship mapping
- Pivot from file → IP → domain → other files
- Threat actor infrastructure tracking
LiveHunt
- Create YARA rules
- Get notified when new samples match
- Threat hunting automation
📊 Statistics
- 300K+ files uploaded daily
- 2M+ URLs scanned daily
- 70+ AV engines integrated
- Launched: 2004 (acquired by Google 2012)
🎤 Interview Angles
Q: How would you use VirusTotal in an investigation?
STAR Example:
Situation: User reported suspicious email attachment (invoice.exe).
Task: Determine if file is malicious.
Action:
- Calculated SHA256 hash of file
- Searched VirusTotal by hash (no upload, opsec)
- Result: 48/70 detections (trojan downloader)
- Reviewed behavioral analysis: Creates persistence, contacts
evil-c2.com- Extracted IOCs: IP
192.0.2.100, domainevil-c2.com- Blocked IOCs at firewall, added hash to EDR blacklist
Result: Confirmed malware, prevented spread, no systems infected.
Q: What are the limitations of VirusTotal?
- Public visibility — All uploads are searchable (opsec risk)
- Zero-day detection — May not detect brand new malware (0/70)
- False sense of security — 0 detections ≠ safe
- Context-less — Doesn't know your environment
- Static analysis bias — Fileless malware may not be detected
- Not real-time — Hash must already exist or you must upload
Q: Why shouldn't you upload sensitive files?
- All uploads are publicly searchable
- Accessible to threat actors, intelligence agencies
- Can expose proprietary research or customer data
- Can burn active investigations (attacker sees you uploaded their tool)
- Better to use hash lookups or private sandboxes
🔗 Related Concepts
- Malware Analysis — Primary use case
- Yara — Detection rules used by VT
- Threat Intelligence — IOC enrichment
- Incident Response — Triage workflow
- PEStudio — Offline alternative for PE analysis
- Cyberchef — Complementary analysis tool