Skip to content

Docs

Guides

Changelog

CtrlK
Docs

Advanced Knowledge

VirusTotal Lookups

VirusTotal Lookups

Use VirusTotal effectively for file and URL reputation analysis.

Last updated: February 2026

Purpose and Scope

VirusTotal aggregates results from 70+ antivirus engines, URL scanners, and sandbox environments. This playbook covers how to use VirusTotal effectively for file and URL analysis, interpret results correctly, and integrate lookups into SOC workflows.

Prerequisites

  • VirusTotal account: Free account for basic lookups, premium for advanced features
  • API key: For automated queries and integration
  • Sample handling procedures: Safe methods for extracting hashes
  • Understanding of AV detection: How different engines classify threats

What VirusTotal Provides

File Analysis

  • Detection verdicts from 70+ AV engines
  • File metadata (size, type, timestamps)
  • Behavioral analysis from sandboxes
  • Embedded strings and imports
  • Relationships to other files, domains, and IPs

URL and Domain Analysis

  • URL scanning against multiple engines
  • Domain reputation and categorization
  • WHOIS and DNS information
  • SSL certificate details
  • Historical resolution data

IP Address Analysis

  • Reputation based on hosted content
  • Associated domains (passive DNS)
  • Files that communicated with the IP
  • Geolocation and ASN information

Lookup Workflow

File Hash Lookup

  1. Extract the file hash (prefer SHA256 for accuracy)
  2. Search the hash on VirusTotal
  3. Review detection ratio and engine names
  4. Check the Behavior tab for sandbox results
  5. Examine Relations for connected infrastructure
  6. Review Community comments for analyst insights

URL Lookup

  1. Submit the URL for scanning or search existing results
  2. Review detection verdicts from URL scanners
  3. Check the final destination after redirects
  4. Examine downloaded files if any
  5. Review the screenshot if available

Domain Lookup

  1. Search the domain name
  2. Review reputation and categorization
  3. Check WHOIS for registration details
  4. Examine DNS records and resolutions
  5. Review associated files and URLs

Interpreting Results

Detection Ratios

Understand what detection counts mean:

  • 0 detections: Not necessarily clean; could be new, targeted, or undetected
  • 1-5 detections: May be false positives; check which engines detected
  • 5-20 detections: Likely malicious; review detection names for classification
  • 20+ detections: High confidence malicious

Detection count alone is not definitive. Review the specific engines and detection names.

Detection Names

Parse detection names for context:

  • Family names indicate malware type (Emotet, Cobalt Strike, AgentTesla)
  • Generic names (Trojan.Generic, Malware.AI) provide less context
  • PUP/PUA indicates potentially unwanted software, not necessarily malware
  • Heuristic detections may have higher false positive rates

Sandbox Behavior

Review what the file did when executed:

  • Network connections (C2 communication)
  • File system modifications (dropped files, persistence)
  • Registry changes (Windows persistence)
  • Process creation (child processes, injection)
  • API calls (suspicious function usage)

Relationships Graph

Explore connections between entities:

  • Files downloaded from a domain
  • Domains resolved to an IP
  • Files that contacted an IP
  • Similar files by behavior or structure

Common Pitfalls

  • Trusting zero detections: New or targeted malware may not be detected
  • Ignoring context: A file detected as a "hacking tool" may be legitimate if used by your red team
  • Uploading sensitive files: Uploaded files become available to premium subscribers
  • Stale data: Old scans may not reflect current detection
  • Shared infrastructure: Legitimate services on the same IP as malware

API Integration

Basic API Usage

  • Search by hash, URL, domain, or IP
  • Submit files or URLs for scanning
  • Retrieve detailed reports programmatically
  • Free tier: 4 requests per minute, 500 per day

SOAR Integration

  • Auto enrich alerts with VT data
  • Block files with high detection counts
  • Create cases for files with sandbox IOCs
  • Add VT links to alert context

Privacy Considerations

  • Do not upload files containing sensitive data
  • Use hash lookups instead of file uploads when possible
  • Be aware that file names are visible to other users
  • Submitted URLs are publicly searchable
  • Premium subscribers can access all uploaded files

Escalation Guidance

Escalate when VirusTotal shows:

  • High detection count with known malware family
  • Sandbox behavior indicating C2 or data theft
  • Relationships to known threat actor infrastructure
  • Files actively spreading in your environment

References

Previous

OSINT Platforms

Next

URL Analysis with urlscan

Was this helpful?

Logo

Block phishing attacks instantly.

Built by RedPhish LLC. All Rights Reserved. Copyright 2025.

Terms & Conditions

Privacy Policy

Compare

Guardio AlternativeMalwarebytes AlternativeNorton AlternativeAvast AlternativeBitdefender Alternative

Resources

DocumentationBlogPricingFAQ