Register for our next deep dive! Learn how to equip your team with strategies and tools to detect and dismantle organized crime on Thursday, July 25, 2024, at 16:00 CET.Register now! close

VirusTotal Public API

By Maltego Technologies
Leverage 15 years of malicious sightings to enrich your organization’s malware observations and logs.
# Infrastructure & Network Information # Malware # Cybercrime # Incident Response
VirusTotal Public API integration for Maltego

VirusTotal Public API Transforms for Maltego 

VirusTotal is a service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content. 

It provides as a free service a public API that allows for automation of some of its online features such as upload and scan files, submit and scan URLs, access finished scan reports, and make automatic comments on URLs and samples.  

With the VirusTotal Transforms for Maltego, investigators can query the VirusTotal Public API for information about IP Addresses, Hashes, Domains, and URLs directly within Maltego. There is also a paid version of VirusTotal that allows customers to examine any file uploaded to the service. 

Kindly note that some restrictions apply for requests made through the public API, such as requiring an individual API key freely obtained by signing up online, low priority scan queue, and limited number of requests. 

VirusTotal Public API use case in Maltego

Typical Users of VirusTotal Public API Data

  • Threat Intelligence Teams
  • Incident Response Teams
  • Cyber and Digital Forensics Teams
  • Security Analysts
  • SOCs and CERTs
  • Red Teams and Penetration Testers
  • Trust and Safety Teams

Integration Benefits

Identify Evolution of Threat Networks

Track the evolution of certain threat actors or malware families and reveal all IOCs belonging to a given campaign. Access historical visibility into attacker activity starting from 2006.

Visualize Actionable Malware IOCs

Visually discover threat commonalities and understand relationships between files, URLs, domains, IP addresses, and other observables encountered in an ongoing investigation.

Enrich Existing Threat Intelligence

Gain comprehensive perspective in investigations by combining disparate data sources. Pivot off from or to VirusTotal datasets from other data entities and sources available on the Maltego Transform Hub.

Reduce False Positives

Contextualize your investigations with a myriad of orthogonal mechanisms to flag maliciousness: 70+ antivirus solutions, sandbox behavior verdicts, crowdsourced YARA/SIGMA/IDS rules, static dissection of macros, and more.

Leverage VirusTotal Public API Data for

Incident Response

SOC analysts are often confronted with hashes, domains, IPs, and URLs which they know nothing about. VirusTotal Transforms for Maltego allows them to instantly enrich and connect them to other global sightings, gaining immediate understanding about the threat campaign and the incident’s cyber kill chain. By visually pivoting and exploring VirusTotal’s interconnections, security teams can effortlessly surface hunting and remediate IoCs to feed their network perimeter defenses and neutralize the attack and its variants.

Threat Intelligence

Security analysts can explore campaigns and track threat actors before they hit their organizations, building a proactive understanding of adversary TTPs and preventatively blocking IoCs. Most importantly, the integration allows them to easily unearth malicious artifacts yet unknown to the security industry, improving their organization’s overall security posture.

Phishing Neutralization

Thousands of users world-wide connect their SOARs, honeypots, and spam traps to VirusTotal, acting as one of the largest networks of sensors reporting on phishing attacks real-time. Anti-fraud and cybercrime investigators can use the VirusTotal Maltego Transforms to map out phishing campaigns and identify the shortest route to mitigation, pivoting over Whois lookups, typo squatting URLs, passive DNS records and other commonalities to identify pre-operational infrastructure, taking it down before it impacts customers.

Corporate Infrastructure Breach and Abuse Mitigation

VirusTotal’s daily scanning activity acts as a massive passive fingerprinting framework. Some of these observations might be tied to your Internet-exposed infrastructure. By exploring this attack surface visually and contextualizing it with VirusTotal, you can power early identification of breaches and abuse.
Read more



Enhance Malware Investigations with Maltego and VirusTotal


Rapid Analysis for Incident Response with VirusTotal and Maltego


Using Maltego to Identify C2 Malware and Phishing Threats Targeting Your Organization


Investigate TA505 Threat Actor Group Using Maltego


Tracking Typosquatting and Brand Monitoring with Maltego


Webinar | Visual Investigations: Speed Up Incident Response, Forensics Analysis, and Hunting!


Webinar | Understanding the Weakest Links: Supply Chain Attacks Intelligence Insight


VirusTotal Solution in Maltego


How to Investigate Phishing Campaigns Using Maltego in 5 Minutes


How to Conduct Network Footprinting Using Maltego in 5 Minutes

Technical Docs

Maltego Documentation Of VirusTotal Premium and Public API Transforms


Reach out to us to learn more about this data integration and how to access it.
By clicking on "Send Message", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.

About VirusTotal

VirusTotal was founded in 2004 as a free service that analyzes files and URLs for viruses, worms, trojans and other kinds of malicious content. Virus Total’s goal is to make the internet a safer place through collaboration between members of the antivirus industry, researchers and end users of all kinds. Fortune 500 companies, governments and leading security companies are all part of the VirusTotal community, which has grown to over 500,000 registered users. VirusTotal became part of Google in 2012.

For more information, visit