Register for our next deep dive! Who is Behind Portal Kombat? Exposing the Pravda Disinformation Machine with OSINT on Thursday, June 27, 2024, at 16:00 CET. Grab your spot now! close

VirusTotal Premium API

By Maltego Technologies
Leverage 15 years of malicious sightings to enrich your organization’s malware observations and logs.
# Infrastructure & Network Information # Malware # Cybercrime # Incident Response
VirusTotal Premium API integration for Maltego

VirusTotal Premium API Transforms for Maltego 

VirusTotal provides a service to analyze files and URLs for viruses, worms, trojans, and other kinds of malicious content. It is one of the most renowned and best-rated data sources within the cybersecurity sphere, particularly when it comes to malware research. 
Upon submitting a file or URL, basic results are shared with the submitter and between the examining partners who use results to improve their own systems. It inspects items with over 70 antivirus scanners and URL/domain blacklisting services in addition to a myriad of tools to extract signals from the studied content. This core analysis is also the basis for several other features, including the VirusTotal Community: A network that allows users to comment on files and URLs and share notes with each other. VirusTotal can be useful in detecting malicious content and also in identifying false positives—Normal and harmless items detected as malicious by one or more scanners. 
Through collaboration between members of the antivirus industry, researchers, and end-users of all kinds, VirusTotal has built a database of over two billion analyzed files thus filling a gap for many companies which experience a lack of resources to collect their own malware samples and related indicators of compromise (IOCs). 

The Premium API is a paid solution available for enterprise users. This is an extension of the VirusTotal Public API and can thus return more threat context, as well as expose advanced threat hunting, malware discovery endpoints, and functionality, such as the VirusTotal Intelligence Search queries. More information on the VirusTotal APIs can be found here . 

The Premium API has many advantages over the Public API such as: 

  • A strict Service License Agreement (SLA) that guarantees availability and readiness of data 
  • Has more endpoints (similarity search, clustering, behavioral information, etc.), and returns richer information for the items looked up, exposes whitelisting, and trusted source information 
  • Allows you to choose a request rate and daily quota allowance that best suits your needs 

VirusTotal Premium API use case in Maltego

Typical Users of VirusTotal Premium API Data

  • Threat Intelligence Teams
  • Incident Response Teams
  • Cyber and Digital Forensics Teams
  • Security Analysts
  • SOCs and CERTs
  • Red Teams and Penetration Testers
  • Trust and Safety Teams

Integration Benefits

Identify Evolution of Threat Networks

Track the evolution of certain threat actors or malware families and reveal all indicators of compromise (IOCs) belonging to a given campaign. Access historical visibility into attacker activity starting from 2006.

Visualize Actionable Malware IOCs

Visually discover threat commonalities and understand relationships between files, URLs, domains, IP addresses, and other observables encountered in an ongoing investigation.

Enrich Existing Threat Intelligence

Gain comprehensive perspective in investigations by combining disparate data sources. Pivot off from or to VirusTotal data sets from other data entities and sources available on the Maltego Transform Hub.

Reduce False Positives

Contextualize your investigations with a myriad of orthogonal mechanisms to flag maliciousness: 70+ antivirus solutions, sandbox behavior verdicts, crowdsourced YARA/SIGMA/IDS rules, static dissection of macros, etc.

Leverage VirusTotal Private API Data for

Incident Response

SOC analysts are often confronted with hashes, domains, IPs, and URLs for which they know nothing. VirusTotal Transforms for Maltego allows them to instantly enrich and connect them to other global sightings, gaining immediate understanding about the threat campaign and the incident’s cyber kill chain. By visually pivoting and exploring VirusTotal’s interconnections, security teams can effortlessly surface hunting and remediate IoCs to feed their network perimeter defenses and neutralize the attack and its variants.

Threat Intelligence

Security analysts can explore campaigns and track threat actors before they hit their organizations, building a proactive understanding of adversary TTPs and preventatively blocking IoCs. Most importantly, the integration allows them to easily unearth malicious artifacts yet unknown to the security industry, improving their organization’s overall security posture.

Phishing Neutralization

Thousands of users world-wide connect their SOARs, honeypots, and spam traps to VirusTotal, acting as one of the largest networks of sensors reporting on phishing attacks real-time. Anti-fraud and cybercrime investigators can use the VirusTotal Maltego Transforms to map out phishing campaigns and identify the shortest route to mitigation, pivoting over Whois lookups, typo squatting URLs, passive DNS records and other commonalities to identify pre-operational infrastructure, taking it down before it impacts customers.

Corporate Infrastructure Breach and Abuse Mitigation

VirusTotal’s daily scanning activity acts as a massive passive fingerprinting framework. Some of these observations might be tied to your Internet-exposed infrastructure. By exploring this attack surface visually and contextualizing it with VirusTotal, you can power early identification of breaches and abuse.
Read more

Pricing & Access

Community Hub
Available only with a Maltego commercial license.
Commercial Hub
Users with Maltego One have the following access or purchase options:
Bring Your Own Key (Purchase Separately)

For full solution access, plug in your existing API key or reach out to us using the form below for purchase inquiry.

To purchase VirusTotal Premium API subscription, contact:

If you are interested in a trial of VirusTotal data, check out the VirusTotal Public API.



Enhance Malware Investigations with Maltego and VirusTotal


Rapid Analysis for Incident Response with VirusTotal and Maltego


Tracking Typosquatting and Brand Monitoring with Maltego


Using Maltego to Identify C2 Malware and Phishing Threats Targeting Your Organization


Investigate TA505 Threat Actor Group Using Maltego


Automate Investigations with Maltego Machines – Part 2: Our New Cybersec & SOCMINT Machines


Investigator Toolkit January 2023: Cheat Sheets for Faster and Spot-on Workflows


Webinar | Visual Investigations: Speed Up Incident Response, Forensics Analysis, and Hunting!


Webinar | Understanding the Weakest Links: Supply Chain Attacks Intelligence Insight


VirusTotal Solution in Maltego


How to Investigate Phishing Campaigns Using Maltego in 5 Minutes

Technical Docs

Maltego Documentation of VirusTotal Premium and Public API Transforms


Reach out to us to learn more about this data integration and how to access it.
By clicking on "Send Message", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.

About VirusTotal Premium API

VirusTotal was founded in 2004 as a free service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content. Our goal is to make the internet a safer place through collaboration between members of the antivirus industry, researchers, and end-users of all kinds. Fortune 500 companies, governments, and leading security companies are all part of the VirusTotal community, which has grown to over 500,000 registered users. VirusTotal became part of Google in 2012.

For more information, visit