openDxlApi: '0.1' info: title: 'VirusTotal API DXL Service' version: 0.1.0 description: 'The OpenDXL VirusTotal service(s) exposes access to the VirusTotal API via the Data Exchange Layer (DXL) fabric.' contact: name: OpenDXL url: 'https://www.opendxl.com' solutions: 'VirusTotal API DXL Service': info: title: 'VirusTotal API DXL Service' version: 0.2.0 description: 'The VirusTotal API DXL Service.' externalDocs: description: 'VirusTotal Public API Reference' url: 'https://www.virustotal.com/en/documentation/public-api/' services: - $ref: '#/services/VirusTotal API DXL Service' events: [] services: 'VirusTotal API DXL Service': info: title: 'VirusTotal API DXL Service' version: 0.2.0 description: 'The VirusTotal DXL service exposes access to the VirusTotal API via the Data Exchange Layer (DXL) fabric.' externalDocs: description: 'VirusTotal API DXL Python Service (GitHub)' url: 'https://github.com/opendxl/opendxl-virustotal-service-python' requests: - $ref: '#/requests/~1opendxl-virustotal~1service~1vtapi~1file~1rescan' - $ref: '#/requests/~1opendxl-virustotal~1service~1vtapi~1file~1report' - $ref: '#/requests/~1opendxl-virustotal~1service~1vtapi~1url~1scan' - $ref: '#/requests/~1opendxl-virustotal~1service~1vtapi~1url~1report' - $ref: '#/requests/~1opendxl-virustotal~1service~1vtapi~1ip-address~1report' - $ref: '#/requests/~1opendxl-virustotal~1service~1vtapi~1domain~1report' requests: /opendxl-virustotal/service/vtapi/file/rescan: description: 'Invokes a VirusTotal ''file rescan'' command and returns the results.' externalDocs: description: 'VirusTotal Public API v2.0 Reference: ''Rescanning already submitted files''' url: 'https://www.virustotal.com/en/documentation/public-api/#rescanning-files' payload: properties: resource: description: 'Hash (md5/sha1/sha256). You can also specify a CSV list made up of a combination of any of the three allowed hashes (up to 25 items). Note that the file(s) must already be present in the VirusTotal file store.' type: string required: - resource example: resource: 7657fcb7d772448a6d8504e4b20168b8 response: description: 'The contents of the DXL response payload will match exactly to the response provided by the VirusTotal API. Please see the VirusTotal Public API Reference for further details.' payload: example: response_code: 1 scan_id: 54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71-1390472785 permalink: 'https://www.virustotal.com/file/__sha256hash__/analysis/1390472785/' sha256: 54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71 resource: 7657fcb7d772448a6d8504e4b20168b8 errorResponses: '0': payload: $ref: '#/definitions/VirusTotal HTTP Error Response Object' /opendxl-virustotal/service/vtapi/file/report: description: 'Invokes a VirusTotal ''file report'' command and returns the results.' externalDocs: description: 'VirusTotal Public API v2.0 Reference: ''Retrieving file scan reports''' url: 'https://www.virustotal.com/en/documentation/public-api/#getting-file-scans' payload: properties: resource: description: 'Hash (md5/sha1/sha256) of the file or SHA-256 hash (''scan_id'') of the specific existing report you wish to retrieve. You can also specify a CSV list made up of a combination of any of the three allowed hashes (up to 4 items). Note that the file(s) must already be present in the VirusTotal file store.' type: string required: - resource example: resource: 54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71-1549331758 response: description: 'The contents of the DXL response payload will match exactly to the response provided by the VirusTotal API. Please see the VirusTotal Public API Reference for further details.' payload: example: response_code: 1 verbose_msg: 'Scan finished, scan information embedded in this object' resource: 99017f6eebbac24f351415dd410d522d scan_id: 52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c-1273894724 md5: 99017f6eebbac24f351415dd410d522d sha1: 4d1740485713a2ab3a4f5822a01f645fe8387f92 sha256: 52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c scan_date: '2010-05-15 03:38:44' positives: 1 total: 2 scans: McAfee: detected: true version: 5.400.0.1158 result: Generic.dx!rkx update: '20100515' F-Prot: detected: false version: 4.5.1.85 result: null update: '20100514' permalink: 'https://www.virustotal.com/file/52d3df0ed60c46f336c131bf2ca454f73bafdc4b04dfa2aea80746f5ba9e6d1c/analysis/1273894724/' errorResponses: '0': payload: $ref: '#/definitions/VirusTotal HTTP Error Response Object' /opendxl-virustotal/service/vtapi/url/scan: description: 'Invokes a VirusTotal ''URL scan'' command and returns the results.' externalDocs: description: 'VirusTotal Public API v2.0 Reference: ''Sending and scanning URLs''' url: 'https://www.virustotal.com/en/documentation/public-api/#scanning-urls' payload: properties: url: description: 'The URL that should be scanned. This parameter accepts a list of URLs (up to 4 with the standard request rate) so as to perform a batch scanning request with one single call. The URLs must be separated by a new line character.' type: string example: url: 'http://www.virustotal.com' response: description: 'The contents of the DXL response payload will match exactly to the response provided by the VirusTotal API. Please see the VirusTotal Public API Reference for further details.' payload: example: permalink: 'https://www.virustotal.com/url/1db0ad7dbcec0676710ea0eaacd35d5e471d3e11944d53bcbd31f0cbd11bce31/analysis/1549501826/' resource: 'http://www.virustotal.com/' response_code: 1 scan_date: '2019-02-07 01:10:26' scan_id: 1db0ad7dbcec0676710ea0eaacd35d5e471d3e11944d53bcbd31f0cbd11bce31-1549501826 url: 'http://www.virustotal.com/' verbose_msg: 'Scan request successfully queued, come back later for the report' errorResponses: '0': payload: $ref: '#/definitions/VirusTotal HTTP Error Response Object' /opendxl-virustotal/service/vtapi/url/report: description: 'Invokes a VirusTotal ''URL report'' command and returns the results.' externalDocs: description: 'VirusTotal Public API v2.0 Reference: ''Retrieving URL scan reports''' url: 'https://www.virustotal.com/en/documentation/public-api/#getting-url-scans' payload: properties: resource: description: 'URL for which to retrieve the most recent report. You may also specify a ''scan_id'' (sha256-timestamp as returned by the URL submission API) to access a specific report. At the same time, you can specify a CSV list made up of a combination of hashes and ''scan_id''s so as to perform a batch request with one single call (up to 4 resources per call with the standard request rate). When sending multiples, the ''scan_id''s or URLs must be separated by a new line character.' type: string required: - resource example: resource: 'http://www.virustotal.com' response: description: 'The contents of the DXL response payload will match exactly to the response provided by the VirusTotal API. Please see the VirusTotal Public API Reference for further details.' payload: example: filescan_id: null permalink: 'https://www.virustotal.com/url/1db0ad7dbcec0676710ea0eaacd35d5e471d3e11944d53bcbd31f0cbd11bce31/analysis/1549563068/' positives: 0 resource: 'http://www.virustotal.com' response_code: 1 scan_date: '2019-02-07 18:11:08' scan_id: 1db0ad7dbcec0676710ea0eaacd35d5e471d3e11944d53bcbd31f0cbd11bce31-1549563068 scans: Avira: detected: false result: 'clean site' 'CLEAN MX': detected: false result: 'clean site' total: 2 url: 'http://www.virustotal.com/' verbose_msg: 'Scan finished, scan information embedded in this object' errorResponses: '0': payload: $ref: '#/definitions/VirusTotal HTTP Error Response Object' /opendxl-virustotal/service/vtapi/ip-address/report: description: 'Invokes a VirusTotal ''IP address report'' command and returns the results.' externalDocs: description: 'VirusTotal Public API v2.0 Reference: ''Retrieving IP address reports''' url: 'https://www.virustotal.com/en/documentation/public-api/#getting-ip-reports' payload: properties: ip: description: 'A valid IPv4 address in dotted quad notation, for the time being only IPv4 addresses are supported.' type: string required: - ip example: ip: 90.156.201.27 response: description: 'The contents of the DXL response payload will match exactly to the response provided by the VirusTotal API. Please see the VirusTotal Public API Reference for further details.' payload: example: as_owner: '.masterhost autonomous system' asn: '25532' continent: EU country: RU detected_downloaded_samples: - date: '2017-10-22 02:45:39' positives: 1 sha256: a2765185a15d8deebc76ae0fede9aca69ff8a838f80ba80aca269e93ad028d11 total: 63 - date: '2017-10-12 01:34:54' positives: 27 sha256: 24da30bc528fc99eea326e40405422e6077793aa439c6da38f6103286155621b total: 50 detected_urls: - positives: 2 scan_date: '2018-06-15 05:59:02' total: 68 url: 'http://www.npftin.ru/' - positives: 1 scan_date: '2018-06-15 04:00:18' total: 67 url: 'http://coloreat.ru/people?order=user_login' network: 90.156.128.0/17 resolutions: - hostname: otvody.trubarm.ru last_resolved: '2017-09-17 00:00:00' - hostname: ourfoods.ru last_resolved: '2018-08-26 14:39:39' response_code: 1 undetected_downloaded_samples: - date: '2019-02-06 10:31:56' positives: 0 sha256: ace5dc20c9d255e174e21d2334caac90ac4f45e9e0da16076811185d0717b5e9 total: 59 - date: '2019-02-06 10:21:46' positives: 0 sha256: b0e4a3d9fbc32b6b3f7d6460572036e811854c24205b795c4a601f132f83f65e total: 58 undetected_urls: - - 'http://ethology.ru/video/?id=77' - 54ad59859c6d370b2f8c6e8012849d9ad8469a0f2be1593856c7279eb5b87975 - 0 - 69 - '2019-02-03 14:09:23' - - 'http://profinews.ru/' - 522db998c133ed88074533d3076264b900317c51e5469d802d8d1fe4ef508f19 - 0 - 69 - '2019-01-21 12:18:07' verbose_msg: 'IP address in dataset' whois: 'Last updated on 2019-01-10T06:11:31Z' whois_timestamp: 1547100971 errorResponses: '0': payload: $ref: '#/definitions/VirusTotal HTTP Error Response Object' /opendxl-virustotal/service/vtapi/domain/report: description: 'Invokes a VirusTotal ''domain address report'' command and returns the results.' externalDocs: description: 'VirusTotal Public API v2.0 Reference: ''Retrieving domain reports''' url: 'https://www.virustotal.com/en/documentation/public-api/#getting-domain-reports' payload: properties: domain: description: 'A domain name.' type: string required: - domain example: domain: 027.ru response: description: 'The contents of the DXL response payload will match exactly to the response provided by the VirusTotal API. Please see the VirusTotal Public API Reference for further details.' payload: example: 'BitDefender category': parked 'Dr.Web category': 'known infection source' 'Forcepoint ThreatSeeker category': uncategorized 'Websense ThreatSeeker category': uncategorized 'Webutation domain info': 'Adult content': yes 'Safety score': 40 Verdict: malicious categories: - parked - uncategorized detected_downloaded_samples: - date: '2013-06-20 18:51:30' positives: 2 sha256: cd8553d9b24574467f381d13c7e0e1eb1e58d677b9484bd05b9c690377813e54 total: 46 detected_referrer_samples: [] detected_urls: - positives: 1 scan_date: '2016-11-09 21:36:51' total: 68 url: 'http://027.ru/testing' - positives: 2 scan_date: '2015-02-18 08:54:52' total: 62 url: 'http://027.ru/index.html' domain_siblings: [] resolutions: - ip_address: 185.53.177.31 last_resolved: '2018-09-03 10:58:50' - ip_address: 46.38.62.7 last_resolved: '2019-02-03 04:49:26' response_code: 1 subdomains: - www.027.ru - test.027.ru undetected_downloaded_samples: - date: '2018-01-14 22:34:24' positives: 0 sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 total: 70 undetected_referrer_samples: - date: '2018-03-04 16:38:06' positives: 0 sha256: ce08cf22949b6b6fcd4e61854ce810a4f9ee04529340dd077fa354d759dc7a95 total: 66 - positives: 0 sha256: b8f5db667431d02291eeec61cf9f0c3d7af00798d0c2d676fde0efb0cedb7741 total: 53 undetected_urls: [] verbose_msg: 'Domain found in dataset' whois: "domain: 027.RU\nnserver: ns1.nevstruev.ru.\nnserver: ns2.nevstruev.ru.\nstate: REGISTERED, DELEGATED, VERIFIED\nregistrar: RU-CENTER-RU\ncreated: 2005-12-08T21:00:00Z\npaid-till: 2019-12-08T21:00:00Z\nsource: TCI\nLast updated on 2019-02-03T04:46:31Z" whois_timestamp: 1549169366 errorResponses: '0': payload: $ref: '#/definitions/VirusTotal HTTP Error Response Object' definitions: 'VirusTotal HTTP Error Response Object': properties: errorMessage: description: 'Message string containing HTTP error response information.' type: string example: 'VirusTotal error, VirusTotal API request rate limit exceeded. (204)'