VirusTotal (Public API) – Maltego

Create a VirusTotal Account and get your unique API Key.

An API Key is needed to use the free Transforms, It is located in *username* > API key

Do not share your API Key with anyone.

The VirusTotal (Public API) can analyze many different Maltego Entity types including:

  • Domains
  • Sub-Domains
  • IP Addresses
  • Urls
  • Subnets
  • Name Servers
  • Communicating Files
  • Hashes
  • DNS Resolutions
  • CVE
  • File Bundles & Associated files
  • Comments & Phrases
  • Historical WHOIS & SSL Certificates
  • Tags


Navigate to the Transform Hub, under the Home Tab. Search for VirusTotal (Public API)

Install the VirusTotal (Public API) Transform Set, input your API Key if prompted.

Next, drag a Hash, or Virus Total Entity from the Entity Palette and run the Transform

Input a VirusTotal File Number:

9454C5CB868992BD1B29C8D1BA6DFD36

or a Hash:

2ae6d71d98d6324da50e8c3afc3d54fddb2ab62b139ef75dad2d20b190122c80

VirusTotal (Public API) > Search VirusTotal [VirusTotal (Public API]

If there are any matches to the Virus Total Database it will return a Virus Total File Entity.

It will have details about the piece of malware like the file type, extension, name, hashes, aggregate results from multiple malware scanning services, and a link to the Virus Total Webpage, with more information.

The sample is a JAR file & confirmed piece of Malware identified as a Trojan targeting android operating systems

Detail View:

Follow the link in Detail View

Detail View > GUI URL: https://www.virustotal.com/gui/file/2ae6d71d98d6324da50e8c3afc3d54fddb2ab62b139ef75dad2d20b190122c80

Under the Details Tab there is infromation like:

  • Hashes, the main identifier of the file or malware.
  • File Type, a zipped .jar file.
  • The compressed size is 38.54 KB
  • History Timestamps
  • File Names

Looking at the metadata:

  • There are two files associated with this piece of malware.
  • The size of the payload is 88.90 KB,
  • Archive Metadata suggests the file is recent, from June 2021.

Running Virus Total (Public API) > All Transforms on a Hash

This returns Links to other Virus Total Files & Hashes related to original Malware File along with Tags and Phrases.

Try running Transforms on other types of Entities like Virus Total Files, Domains, URLs, IPs & Phrases.

Virus Total (Public API) > All Transforms

Virus Total (Public API) > File Properties [Virus Total Public API]

The VirusTotal Database also tracks CVEs (Common Vulnerabilities and Exposures)

Virus Total (Public API) > Vulnerability Details [Virus Total Public API] > To CVE [Virus Total Public API]

After running Virus Total (Public API) > All Transforms on this popular torrent hosting website, There are 233 Positive Results

The VirusTotal Public Transforms can quickly help an analyst quickly analyze a piece of malware and it’s identifiers. It’s possible to see where the malware it is being distributed from, file names, CVEs, hashes and tags and relations that are already stored in the free VirusTotal Database.

Leave a Reply