VirusTotal Intelligence

Combine Google and Facebook and apply it to the field of Malware
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Powerful malware search

Imagine the planet-scale search engine capabilities of Google, add the relationships and in-depth profile characterisation of Facebook, now apply the combination to the malware and threat intelligence field, that would be a very broad summary of what VirusTotal Intelligence is. Both a microscope into individual threats and a telescope into malicious behaviours on the Internet.

Search VirusTotal's dataset for malware samples, URLs, domains and IP addresses according to binary properties, antivirus detection verdicts, static features, behavior patterns such as communication with specific hosts or IP addresses, submission metadata and many other notions. Pinpoint files similar to your suspect being studied. Samples matching search criteria can be downloaded for further study.


Gather signals to trace your threat. VirusTotal tools extract suspicious signals such as OLE VBA code streams in Office document macros, invalid cross reference tables in PDFs, packer details in Windows Executables, intrusion detection system alerts triggered in PCAPs, Exif metadata, authenticode signatures and a myriad of other properties. Use these properties as IoCs to hunt down badness in your network.

Multi-property searches can be performed via advanced modifiers and threat actor campaigns can be fully mapped through pivoting and similarity searching. Lightning-fast binary n-gram searches complement file similarity searches to find other unknown variants of an attack and different malware pertaining to a same threat actor.


Understand how malware files act and communicate. VirusTotal detonates files in virtual controlled environments to trace their activities and communications, producing detailed reports including opened, created and written files, created mutexes, registry keys set, contacted domains, URL lookups, etc. This execution activity is indexed in a faceted fashion in order to allow for instantaneous lookups.

Dynamic analysis capabilities do not only focus on execution traces but also on running static+dynamic analysis plugins to decode RAT malware configs and extract network infrastructure that may have not been observed during real time execution.


Gain context on threat location and techniques used to propagate and disseminate malware. VirusTotal runs backend processes like sandboxing, inter-file relationship generation, email attachment extraction, URL to file mapping, and labelling of files coming from honeypots. Third-party tools like Microsoft Sysinternals suite also contribute metadata about in-the-wild end-user sightings of malware.


Take advantage of backend processes to understand inter-file-netloc relationships, discover emails that may embed a given threat, link files to parent network traffic PCAPs, discover other variants signed by the same publisher, pinpoint compressed packages that contained a given threat, etc.

Filter files matching your criteria, look at in-depth information for your matches and download the pertinent files for further offline study.


Clustering and similarity search capabilities.

Search for similar files using several hashes/algorithms: ssdeep content similarity searches, imphash, icon visual similarity and our own in-house structural feature hash.

Content searching

Low latency searches for random binary patterns contained within files, not only strings search but any kind of binary sequence, powered by a 5 petabyte n-gram index.

Elastic searching

Over 40 search modifiers can be used to hunt down malware samples of interest based on static, dynamic and relational properties. Example: type:dmg AND signature: "T8RS3R6DT4" AND metadata:"adharma" AND behaviour:"pkill -9 -i Flash Update 13.6 Installer" AND (behaviour:"" OR behaviour:"")

Combine any number of modifiers

Search parameters can be combined in order to identify files that match highly complex criteria, filtering noise and focusing on threats that are relevant to your investigations.


This is some of the additional information available for files matching your search criteria:

Submission metadata

First seen and last seen dates, number of submissions, submission file names, submission countries, submission dates, ciphered submitter identifier, submission interface, number of distinct submitters, etc.

Static information

Sigcheck, packer information, PE structure, Exif attributes, ELF structure, package contents, OLE VBA Macro code stream, suspicious PDF properties, embedded file icons, etc.

Dynamic information

Behavior characterization through sandbox execution for major operating systems: Windows, Android, OS X and Linux.

Complete scanning information

All reports on a given sample, not only the latest snapshot. Understand how threat detections evolve over time, discover the in-the-wild lifespan of malware.

Telemetry metadata

Partner tools contribute rich end-user PC metadata to our dataset, e.g. Windows registry keys in which an executable is registered for autolaunch upon reboot, creation date on end-user machine, full name and path of the file.

Goodware and whitelisting information

Goodware index, VirusTotal Community voting, aggregation of publicly available goodware databases as well as legitimate software whitelisting details shared by top partners and ingested from VirusTotal Monitor.


Global origins

Files submitted from 232 unique ISO country codes, which includes almost 3M distinct sources in the last year.

Structural clustering of polymorphic variants

198,000 clusters generated per day during an average month. About 35% of all files with a feature hash are clustered in the top 200 collections.

File types

Over 100 identified file types seen per day, on average. Examples: Win32 DLL, Win32, EXE, HTML, Java Bytecode, Android, PDF, Text, Mach-O, ZIP, PNG, XML, MS Word, JPEG, ELF, RAR, Office Open XML, C++, C, GZIP, JAR, DOS, EXE, MS Excel, MP3, Python, 7ZIP, Windows, GIF, Email

ITW file origin

More than 400M files with origin information; more than 100M portable executables from distinct URLs; more than 200M files with rich telemetry data; more than 5M emails for rich contextual information.



More than 2.4B files in the dataset

Many files with strong signals to help security researches identify malware


Between 2M and 8M URLs analysed per day

Approximately 300k per day are distinct and detected by more than 5 URL scanners


File feeds with approximately 1.8M file analyses per day

Files included for download, with all raw data available. Feed includes rescans of files with updated information

Powered by Google infrastructure

With the data security, reliability and computation power of the Google infrastructure