turbot/virustotal
steampipe plugin install virustotal

Table: virustotal_url - Query VirusTotal URL Reports using SQL

VirusTotal is a service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content. It uses an array of antivirus engines and website scanners, as well as a comprehensive dataset that is updated in real time. VirusTotal's URL reports provide detailed information about the URLs analyzed, including the scan results, detection ratios, and the time of the last analysis.

Table Usage Guide

The virustotal_url table provides insights into URL reports within VirusTotal. As a cybersecurity analyst, explore URL-specific details through this table, including scan dates, detection ratios, and scan results. Utilize it to uncover information about URLs, such as their safety status, the details of the scans performed on them, and the detection ratios associated with each URL.

Important Notes

  • You must specify either the url (URL address) or the id (hash of the URL) in the where clause to query this table.

Examples

Get URL information

Discover the segments that are associated with a specific website by analyzing its URL. This can be beneficial for identifying potential security risks or understanding the website's online footprint.

select
*
from
virustotal_url
where
url = 'https://github.com';
select
*
from
virustotal_url
where
url = 'https://github.com';

Get URL information by ID

Discover the specifics of a particular URL by using its unique ID. This can be particularly useful when investigating potentially harmful or suspicious URLs for cybersecurity purposes.

select
*
from
virustotal_url
where
id = '09a8b930c8b79e7c313e5e741e1d59c39ae91bc1f10cdefa68b47bf77519be57';
select
*
from
virustotal_url
where
id = '09a8b930c8b79e7c313e5e741e1d59c39ae91bc1f10cdefa68b47bf77519be57';

Find all scanner results where result was not clean

Identify instances where the scan results were not clean for a specific URL. This could be used to assess the security and safety of the website, highlighting any potential threats or issues.

select
analysis.key as scanner,
analysis.value ->> 'result' as result
from
virustotal.virustotal_url,
jsonb_each(last_analysis_results) as analysis
where
url = 'https://github.com'
and analysis.value ->> 'result' != 'clean'
order by
scanner;
select
analysis.key as scanner,
json_extract(analysis.value, '$.result') as result
from
virustotal.virustotal_url,
json_each(last_analysis_results) as analysis
where
url = 'https://github.com'
and json_extract(analysis.value, '$.result') != 'clean'
order by
scanner;

Schema for virustotal_url

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
categoriesjsonbMapping that relates categorisation services with the category it assigns the url to. These services are, among others: Alexa, BitDefender, TrendMicro, Websense ThreatSeeker, etc.
categorytextNormalized result: harmlaess, undetected, suspicious, malicious.
engine_nametextComplete name of the URL scanning service.
faviconjsonbDictionary including difference hash and md5 hash of the url's favicon. Only available for premium users.
first_submission_datetimestamp with time zoneUTC timestamp of the date where the URL was first submitted to VirusTotal.
html_metajsonbAll meta tags (only for URLs downloading a HTML). Keys are the meta tag name and value is a list containing all values of that meta tag.
idtext=ID of the URL.
last_analysis_datetimestamp with time zoneUTC timestamp representing last time the URL was scanned.
last_analysis_resultsjsonbResult from URL scanners. dict with scanner name as key and a dict with notes/result from that scanner as value.
last_analysis_statsjsonbNumber of different results from this scans.
last_final_urltextIf the original URL redirects, where does it end.
last_http_response_codebigintHTTP response code of the last response.
last_http_response_content_lengthbigintLength in bytes of the content received.
last_http_response_content_sha256textURL response body's SHA256 hash.
last_http_response_cookiesjsonbThe website's cookies.
last_http_response_headersjsonbHeaders and values of last HTTP response.
last_modification_datetimestamp with time zoneDate when any of IP's information was last updated.
last_submission_datetimestamp with time zoneUTC timestamp representing last time it was sent to be analysed.
methodtextType of service given by that URL scanning service, e.g. blacklist.
outgoing_linksjsonbLinks to different domains.
reputationbigintURL's score calculated from the votes of the VirusTotal's community.
resulttextRaw value returned by the URL scanner: e.g. clean, malicious, suspicious, phishing. It may vary from scanner to scanner, hence the need for the category field for normalisation.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
tagsjsonbList of representative attributes.
targeted_brandjsonbTargeted brand info extracted from phishing engines.
times_submittedbigintNumber of times that URL has been checked.
titletextWeb page title.
total_votesjsonbUnweighted number of total votes from the community, divided into harmless and malicious.
trackersjsonbcontains all found trackers in that URL in a historical manner. Every key is a tracker name, which is a dictionary containing.
urltext=The URL to retrieve.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- virustotal

You can pass the configuration to the command with the --config argument:

steampipe_export_virustotal --config '<your_config>' virustotal_url