Skip to content

VirusTotal

What It Is

VirusTotal aggregates results from 70+ antivirus engines, URL scanners, and threat intelligence feeds into a single lookup. Upload a file, paste a URL, or search an IP/domain to see what the community and engines know about it.

Key rule: anything you upload to VirusTotal becomes available to paying subscribers. Never upload sensitive, proprietary, or client files.

What You Can Search

Input	What you learn
File hash (MD5/SHA1/SHA256)	AV detections, file metadata, behavioral analysis, community comments
URL	Scanning results from URL checkers, redirects, associated IPs
Domain	DNS records, subdomains, WHOIS, associated files, passive DNS
IP address	Hosted domains, associated files, community reputation, geolocation

Useful Tabs (per result)

Tab	What it shows
Detection	Which engines flagged it and what they called it
Details	File metadata, PE headers, import table, creation timestamps
Relations	Contacted IPs/domains, dropped files, parent/child relationships
Behavior	Sandbox execution — processes spawned, files created, registry changes, network calls
Community	User comments and votes — often the most useful context

Quick Hash Lookup

If you have a suspicious file and want to check without uploading:

# Get SHA256 of a file
sha256sum suspicious-file.exe

# Search that hash on VirusTotal (no upload needed)
# → https://www.virustotal.com/gui/file/<HASH>

API (v3)

# File report by hash
curl -s "https://www.virustotal.com/api/v3/files/<HASH>" \
  -H "x-apikey: YOUR_API_KEY" | jq '.data.attributes.last_analysis_stats'

# Domain report
curl -s "https://www.virustotal.com/api/v3/domains/example.com" \
  -H "x-apikey: YOUR_API_KEY" | jq '.data.attributes'

# IP report
curl -s "https://www.virustotal.com/api/v3/ip_addresses/10.10.10.1" \
  -H "x-apikey: YOUR_API_KEY"

Free API: 4 lookups/minute, 500/day.

Links