virustotal
$
npx mdskill add taracodlabs/aiden/virustotalChecks files, URLs, domains, and IPs against 70+ antivirus engines for malware
- Identifies malicious files, URLs, domains, or IPs during incident response or triage
- Uses VirusTotal API with an API key for access to threat intelligence data
- Analyzes results from antivirus engines and threat feeds to detect malware or phishing
- Returns detailed analysis stats including malicious, suspicious, and harmless verdicts
SKILL.md
.github/skills/virustotalView on GitHub ↗
---
name: virustotal
description: "VirusTotal: check file/URL/domain/IP against 70+ AV engines"
category: security
version: 1.0.0
license: Apache-2.0
origin: aiden
tags: security, virustotal, malware, antivirus, threat-intel, hash, url, domain, ip, incident-response
env_required:
- VIRUSTOTAL_API_KEY
---
# VirusTotal — Threat Intelligence
VirusTotal aggregates results from 70+ antivirus engines and threat intelligence feeds. Check file hashes, URLs, domains, and IP addresses for known malware, phishing, and suspicious activity.
**Requires:** `VIRUSTOTAL_API_KEY` — free at https://www.virustotal.com/gui/my-apikey (4 req/min on free tier).
## When to Use
- User has a file hash and wants to know if it is malware
- User has a suspicious URL and wants a reputation check
- User is investigating an incident and needs threat context for a domain or IP
- User asks "is this hash malicious?", "check this URL", or "is this domain flagged?"
- SOC/IR workflow: triage IOCs (indicators of compromise) quickly
## How to Use
### Check a file hash (MD5, SHA-1, or SHA-256)
```powershell
$hash = "44d88612fea8a8f36de82e1278abb02f" # EICAR test file
$key = $env:VIRUSTOTAL_API_KEY
$url = "https://www.virustotal.com/api/v3/files/$hash"
$result = Invoke-RestMethod -Uri $url -Headers @{ "x-apikey" = $key }
$stats = $result.data.attributes.last_analysis_stats
Write-Host "File: $($result.data.attributes.meaningful_name)"
Write-Host "Malicious: $($stats.malicious) / $($stats.malicious + $stats.undetected + $stats.harmless)"
Write-Host "Suspicious: $($stats.suspicious)"
Write-Host "First seen: $($result.data.attributes.first_submission_date)"
```
### Check a URL for malware or phishing
```powershell
$targetUrl = "https://example.com"
$key = $env:VIRUSTOTAL_API_KEY
# URL id = URL-safe base64 without padding
$bytes = [System.Text.Encoding]::UTF8.GetBytes($targetUrl)
$b64 = [Convert]::ToBase64String($bytes).Replace('+','-').Replace('/','_').TrimEnd('=')
$url = "https://www.virustotal.com/api/v3/urls/$b64"
$result = Invoke-RestMethod -Uri $url -Headers @{ "x-apikey" = $key }
$stats = $result.data.attributes.last_analysis_stats
Write-Host "URL: $targetUrl"
Write-Host "Malicious: $($stats.malicious)"
Write-Host "Phishing: $($result.data.attributes.categories -join ', ')"
Write-Host "Reputation: $($result.data.attributes.reputation)"
```
### Check a domain's reputation
```powershell
$domain = "example.com"
$key = $env:VIRUSTOTAL_API_KEY
$url = "https://www.virustotal.com/api/v3/domains/$domain"
$result = Invoke-RestMethod -Uri $url -Headers @{ "x-apikey" = $key }
$attrs = $result.data.attributes
Write-Host "Domain: $domain"
Write-Host "Reputation: $($attrs.reputation)"
Write-Host "Categories: $($attrs.categories.PSObject.Properties.Value -join ', ')"
$stats = $attrs.last_analysis_stats
Write-Host "Malicious: $($stats.malicious) engines"
```
### Check an IP address
```powershell
$ip = "1.1.1.1"
$key = $env:VIRUSTOTAL_API_KEY
$url = "https://www.virustotal.com/api/v3/ip_addresses/$ip"
$result = Invoke-RestMethod -Uri $url -Headers @{ "x-apikey" = $key }
$attrs = $result.data.attributes
$stats = $attrs.last_analysis_stats
Write-Host "IP: $ip"
Write-Host "AS Owner: $($attrs.as_owner)"
Write-Host "Country: $($attrs.country)"
Write-Host "Reputation: $($attrs.reputation)"
Write-Host "Malicious: $($stats.malicious) engines"
```
## Examples
**"Is hash 44d88612fea8a8f36de82e1278abb02f malware?"**
→ Use the file hash check — malicious count > 0 means confirmed threats.
**"Check if https://suspicious-login.com is phishing"**
→ Use the URL check — look at `malicious` and `phishing` categories.
**"I got an alert for domain evil-c2.net — is it known bad?"**
→ Use the domain check — look at reputation score and malicious engine count.
**"This IP keeps hitting our firewall — is it a known attacker?"**
→ Use the IP check — `reputation < 0` and high malicious count = treat as threat.
## Cautions
- Free tier rate limit: 4 requests per minute — add `Start-Sleep -Seconds 16` between calls when checking multiple IOCs
- VirusTotal results reflect last scan time; for fresh analysis you must submit (POST /files or POST /urls) — not covered here
- A clean result (0 detections) does not guarantee safety — new malware may not yet be in the database
- File hashes are public — never submit sensitive files directly; only submit the hash
- Reputation score: positive = clean, 0 = neutral, negative = suspicious/malicious
## Requirements
- `VIRUSTOTAL_API_KEY` — free account at https://www.virustotal.com/gui/join-us
More from taracodlabs/aiden
- ade-footerInstalled skill — add instructions here
- archon-bridgeUnified portfolio + order routing across Zerodha, Upstox, Angel One
- censysCensys lookups: hosts, certificates, services on the public internet
- clipboard-historyRead/write Windows clipboard text, HTML, images, history (PowerShell)
- code_executionRunning scripts and code on Windows
- create_txt_fileCreates a text file with specified content at a given path
- crt.shEnumerate subdomains and TLS certs via CT logs (no API key needed)
- currently_running_processesShow me my currently running processes.
- cveapiCVE lookup via MITRE + NVD: severity, CVSS, affected products, refs
- decrease_volume_littleDecreases the system volume by a small amount.