File search modifiers

There are a set of special terms that you can use to refine your search results. For example, you can take advantage of the term positives:5+ to get files detected by five antivirus solutions or more. If you want to get those detected by ten engines or less you can use positives:11- . Specifying the number without any trailing plus or minus sign you will retrieve those detected exactly by the given number of engines, i.e. positives:7. These terms can be used more than once in the same query, for example positives:20+ positives:31- will return any file detected by a number of engines in the range 20-30.

You can directly type these modifiers on the search box:

File Search Modifiers search box

Or click on the sliders icon:

File Search Modifiers sliders icon

To get a form where you can use some of these modifiers:

File Search Modifiers Form
  1. Select a file type from the dropdown list of most common file types.
  2. Number of antivirus vendors that detected it upon scanning with Google Threat Intelligence.
  3. Minimum file size. The size can be specified in bytes, kilobytes(default) or megabytes.
  4. Maximum file size. The size can be specified in bytes, kilobytes(default) or megabytes.
  5. Malware family name exclusively on the antivirus results (no matter which particular engine produced the output). Example: "Trojan.Isbar" to search for malware with this family name.
  6. Executable files (for example: pexe, dmg, apks) whose dynamic behavioral report contains the literal provided.
  7. Finds all those files that have some (indexed) Exif field containing the literal(s) provided, not only limited to Exif, certain other tools apply, such as taggant packer information, office metadata, etc.
  8. Finds all those files that have some sigcheck/codesign (PE signature, Apple code signing) field containing the literal(s) provided.
  9. Files that have been downloaded from a URL containing the literal provided.
  10. Files submitted to Google Threat Intelligence with a file name that contains the literal provided.
  11. Files tagged by Google Threat Intelligence with the literal provided. Example: android , html , peexe
  12. Files submitted to Google Threat Intelligence after this datetime.
  13. Files submitted to Google Threat Intelligence before this datetime.
  14. Number of times files were submitted to Google Threat Intelligence.
  15. Number of distinct sources that submitted the file to Google Threat Intelligence, independently of whether any given source submitted the file more than once.

The following table details the full list of available search modifiers along with the type of file on which the modifier can act. Please note that all these modifiers can be combined together and used in conjunction with the search modalities described above.

The following modifiers admits wildcards: attack_technique , attack_tactic , behaviour_network: / behavior_network: , capability_tab , name: / filename: , name: / filename:.

ModifierScopeDescription
sizeAny file typeFilters the files to be returned according to size. The size can be specified in bytes (default), kilobytes or megabytes. Trailing plus or minus sign will retrieve those files with a size, respectively, larger than or smaller than the one provided. The modifier can be used more than once in the same query.
Examples: size:200, size:500+, size:120KB+, size:15MB-,size:1MB+
typeAny file typeFilters the type of file to be returned (i.e. magic signature). Example: type:pdf. This is the full list of available file type literals:
  • Executables: executable, peexe, pedll, ne, neexe, nedll, mz, msi, com, coff, elf, krnl, rpm, linux, macho, dmg, windows, win16, win32, pe, installer, dos, deb.
  • Internet: html, xml, flash, swf, fla, iecookie, bittorrent, email, outlook, cap, pcap, crx, chrome, extension, browser, xpi, firefox, js, truetype, internet.
  • Phones&tablets: mobile, symbian, palmos, wince, android, apk, iphone, ios.
  • Images: image, jpeg, jpg, draw, emf, tiff, gif, png, bmp, gimp, indesign, photoshop, psd, targa, xws, dib, jng, ico, fpx, eps, svg, webp, xwd.
  • Video&audio: audio, animation, ogg, flc, fli, mp3, flac, wav, midi, avi, mpeg, quicktime, qt, asf, divx, flv, wma, wmv, realmedia, rm, mov, mp4, 3gp, video, mkv, webm.
  • Documents: document, text, pdf, msoffice, presentation, postscript, ps, doc, docx, rtf, powerpoint, ppt, pptx, ppsx, slideshow, excel, xls, xlsx, odp, ods, odt, odf, odg, hangul, hwp, gul, ebook, latex, word, samsungdoc, gul, epub, one, onenote, spreadsheet, openoffice, json, sgml.
  • Bundles: compressed, isoimage, zip, gzip, bzip, rzip, dzip, 7zip, cab, jar, rar, mscompress, ace, arc, arj, asd, blackhole, kgb, squashfs, zlib, tar, pkg, lzfse, zst.
  • Code: source, script, php, python, perl, ruby, c, cpp, java, jmod, shell, pascal, awk, dyalog, fortran, java-bytecode, class, javascript, ps, ps1, vba, vbs, powershell, json, m4, makefile, objectivec, pyc.
  • Apple: apple, apple-gen, macintosh, macintosh-gen, mac, applesingle, appledouble, machfs, appleplist, applescript, scpt, maclib.
  • Miscellaneous: lnk, ttf, rom, bios, firmware, multimedia, chm, eot, woff, font, openfont, opentype, help, math, crt, csv, ini, pem, pgp, sql, vhd.
fsAny file typeFilters the files to be returned according to the first submission datetime to Google Threat Intelligence. It allows you to specify larger than or smaller than values.
Examples: fs:2009-01-01T19:59:22-, fs:2012-08-21T16:59:22+, fs:2012-08-2116:00:00+ fs:2012-08-2116:59:22-, fs:3d+
lsAny file typeFilters the files to be returned according to the last submission datetime to Google Threat Intelligence. It allows you to specify larger than or smaller than values.
Examples: ls:2012-08-22T06:40:59, ls:2009-01-01T19:59:22-, ls:2012-08-21T16:59:22+, ls:2012-08-2116:00:00+ ls:2012-08-2116:59:22-, ls:3d+
laAny file typeFilters the files to be returned according to the last analysis datetime by Google Threat Intelligence. Normally the last analysis datetime will be the same as the last submission datetime, however, sometimes users will submit a file for scanning and will then decide to view the latest report on the file rather than rescanning it, in those cases both dates may differ. It allows you to specify larger than or smaller than values.
Examples: la:2012-08-21T16:00:00, la:2009-01-01T19:59:22-, la:2012-08-21T16:59:22+, la:2011-08-21T16:00:00+ la:2012-08-21T16:59:22-
positives
p
Any file typeFilters the files to be returned according to the number of antivirus vendors that detected it upon scanning with Google Threat Intelligence. It allows you to specify larger than or smaller than values.
Examples: positives:1, positives:10+, positives:5-, positives:10+ positives:20-
children_positives
cp
Any file typeFilters the files to be returned according to the maximum number of detections of children files for a given sample. Samples with children files include compressed bundles, ROMs, etc.
Examples: children_positives:10+, children_positives:5-
nameAny file typeReturns the files submitted to Google Threat Intelligence with a file name that contains the literal provided.
Examples: name:"winshell.ocx", name:"postal"
tagAny file typeReturn all those files tagged by Google Threat Intelligence with the literal provided.
Examples: tag:honeypot, tag:armadillo, tag:nsrl. These are some of the tags, the full list can be found at Full list of Google Threat Intelligence Intelligence tag modifier:
  • via-tor: The file was submitted via a TOR node at least one time.
  • zero-filled: The file is zero filled, i.e. the full file is zero padding.
  • file_type: All samples are tagged at least with their file type, exactly the same as the type search modifier. Android related files can be tagged according to their specific file format, this is: apk, dex, odex, axml, arsc or faulty (if the file is corrupted in some way).
  • corrupt: Flags the sample as a corrupted file, if it is a portable executable it is more than likely that it will not be loaded by the Windows Loader.
  • 64bits: The sample targets 64bit architectures.
  • cve: The Common Vulnerability and Exposures identifier of the exploit that the file under consideration makes use of.
  • trusted: The file belongs to the software catalogue of a trusted developer, e.g. Microsoft.
  • signed: The file is signed (Windows Authenticode Portable Executable Signature/Apple signed/etc.).
  • nsrl: The file can be found in NIST's National Software Reference Library.
  • software-collection: The file is present in an online software collection like Softpedia, Softonic or similar.
  • honeypot: The file was catched in the wild by a network honeypot setup, e.g. Dionaea honeypot.
  • email-spam: The file was seen as an attachment or download link in spam emails.
  • attachment: The file was seen as an attachment in some email, however, there is no certainty regarding whether such email was spam.
  • exploit: The file is or makes use of an exploit.
  • smtp: The sample performs smtp communications when executed, this may be helpful in identifying spambots.
  • ftp: The sample performs ftp communications when executed.
  • ssh: The sample performs ssh communications when executed.
  • telnet: The sample performs telnet communications when executed.
  • mysql: The sample performs MySQL communications when executed.
  • irc: The sample performs IRC communications when executed.
  • suspicious-dns: The sample performs an unusual amount of DNS lookups for non-existing domains, could be an indication of a domain generation algorithm.
  • suspicious-udp: The sample performs an unusual amount of UDP connections, could be an indication of P2P botnet communication.
  • hosts-modifier: When executed, the given file modifies the system's hosts file.
  • nxdomain: File whose contacted domain cannot be resolved to an IP Address.

  • Portable Executable specific
  • assembly: Identifies Portable Executable files that are .Net assembly.
  • native: Identifies Portable Executable linked using the Native subsystem, there is a high probability of these files being drivers.
  • packer: Whenever some of the packer detectors in Google Threat Intelligence identify the file as packed the file is tagged with the name of the packer (upx, asprox, themida, etc.).
  • efi: Extensible Firmware Interface portable executable.
  • overlay: The file contains an overlay, appended data at the end of the file, may be some additional malicious payload.
  • contains-rom: The executable seems to contain a ROM BIOS image.

  • Mac OS X Executable specific
  • lib: The file is some kind of Mac OS X library, intended for linking, will not execute on its own.
  • arm: The executable is intended for ARM architectures.
  • ios: The executable is intended for iOS (iPhones, iPads, etc.).
  • suspicious-eip: The EIP register reloc for the executable's entry point is suspicious.
  • dropper: This executable seems to drop other Mach-Os.

  • DMG specific
  • license: The DMG seems to contain some sort of user license agreement, often only found in legitimate applications.

  • Linux ELF Executable specific
  • relocatable: ELFs that are input to the linker, rather than the final product.
  • shared-lib: Linux dynamic libraries, intended for linking, will not execute on their own.
  • coredump: Memory dump for a Linux executable.

  • File bundles specific
  • contains-pe: The file bundle contains a portable executable.
  • contains-rom: The file bundle seems to contain a ROM BIOS image.
  • contains-macho: The file bundle contains a Mac OS X executable.
  • mac-app: The file bundle contains a full Mac OS X Bundle Application.
  • contains-elf: The file bundle contains a Linux ELF executable.
  • contains-dmg: The file bundle contains a DMG.
  • contains-deb: The file bundle contains a deb package.
  • blob: A compressed file that seems to contain some sort of version control blob inside it.
  • encrypted: An encrypted compressed file, needs a password to open it.
  • tar-bundle: A compressed file that contains a tar bundle inside, e.g. tar.gz files will be of type gzip and will be tagged as tar-bundle.

  • DEB package specific
  • iphone: The deb package is intended for iPhones.
  • mobile-substrate: Makes use of saurik's platform that makes it easier to develop third-party addons for iOS.
  • cydia: The deb package is intended for Cydia, a software application for iOS that enables a user to find and install software packages on jailbroken iOS Apple devices.

  • PDF specific
  • invalid-xref: PDF with an invalid xref table.
  • js-embedded: PDF that contains JavaScript.
  • flash-embedded: PDF that contains Flash.
  • autoaction: PDF that contains an automatic action to be performed when the document is viewed.
  • acroform: PDF that contains an AcroForm, which in turn may contain JavaScript that is executed when a document is opened.
  • launch-action: PDF that contains a launch action, which could launch a given JavaScript snippet.
  • file-embedded: PDF that contains an embedded file, could be executable code to launch via a launch action.

  • Document specific
  • macros: Microsoft Office documents containing macros.
  • dos-stub: RTF file containing at least one MS-DOS stub string, may indicate that the file embeds a portable executable.
  • ole-embedded: RTF file containing at least one OLE embedded object.
  • ole-link: RTF file containing at least one OLE link object.
  • ole-autolink: RTF file containing at least one OLE autolink object.
  • mac-subscriber: RTF file containing at least one Macintosh Edition Manager subscriber object.
  • mac-publisher: RTF file containing at least one Macintosh Edition Manager publisher object.
  • mac-cmd-embedder: RTF file containing at least one Macintosh Installable Command (IC) Embedder object.
  • html-control: RTF file containing at least one Hypertext Markup Language (HTML) control object.
  • ole-control: RTF file containing at least one OLE control object.
  • auto-open: Open XML/Office documents that automatically run commands or instructions when the file is opened.
  • auto-close: Open XML/Office documents that automatically run commands or instructions when the file is closed.
  • auto-modify: Open XML/Office documents that automatically run commands or instructions when the file is modified.
  • auto-create: Open XML/Office documents that automatically run commands or instructions when a new document is created.
  • environ: Open XML/Office documents that may read system environment variables.
  • open-file: Open XML/Office documents that may open other files.
  • write-file: Open XML/Office documents that may write to other files.
  • handle-file: Open XML/Office documents that may perform operations with other files.
  • copy-file: Open XML/Office documents that may copy other files.
  • create-file: Open XML/Office documents that may create additional files.
  • run-file: Open XML/Office documents that may try to run other files, shell commands or applications.
  • hide-app: Open XML/Office documents that may try to hide the viewer or other applications.
  • powershell: Open XML/Office documents that may execute powershell commands.
  • create-dir: Open XML/Office documents that may try to create folders.
  • save-workbook: Open XML/Office spreadsheet files that may try to inadvertently save the existing workbook.
  • startup-folder: Open XML/Office documents that may try to set the name of the alternate startup folder.
  • create-ole: Open XML/Office documents that may create OLE objects.
  • enum-windows: Open XML/Office documents that may enumerate open windows.
  • run-dll: Open XML/Office documents that may execute code from DLLs.
  • download: Open XML/Office documents that may try to download additional files from the Internet.
  • send-keys: Open XML/Office documents that may try to interact with other applications.
  • obfuscated: Open XML/Office documents that seem to contain deobfuscation code.
  • registry: Open XML/Office documents that interact with the Windows Registry.
  • anti-analysis: Open XML/Office documents that seem to contain tricks to deceive researchers and analysis systems.
  • exe-pattern: Open XML/Office documents whose VBA code seems to manipulate an executable.
  • url-pattern: Open XML/Office documents whose VBA code references some URL.
  • domain-pattern: Open XML/Office documents whose VBA code references some domain.
  • email-pattern: Open XML/Office documents whose VBA code references some email.
  • ipv4-pattern: Open XML/Office documents whose VBA code references an IP address.

  • Flash specific
  • as3: Makes use of ActionScript3.
  • as2: Makes use of ActionScript2.
  • os-checking: The SWF file fingerprints the OS executing it.
  • oadbytes: The SWF file makes use of the loadBytes ActionScript3 functionality.
  • navigate: Opens or replaces a window in the application that contains the Flash Player container with the contents of a given URL using the navigateToURL ActionScript function.
  • get-url: Contains ActionScript code to request and retrieve content from Internet URLs.
  • obfuscated: The SWF file has been processed with a common flash file obfuscator.
  • long-hex: The SWF file contains noticeably long strings of hex characters, this commonly reveals encoding of malicious code in hex format, which will then be transformed into binary via the hexToBin function.
  • long-base64: Sames as above but with base64 strings.
  • heap-spray: The SWF file seems to be performing heap spraying.
  • capabilities: The SWF file performs environment identification.
  • ext-interface: The flash file uses methods of the ExternalInterface class to communicate with the external host of the Flash plugin, such as the web browser.
  • javascript: The flash file seems to embed javascript code.
  • iframe: The flash file seems to be performing some sort of HTML iframe injection or makes use of iframes.
  • fscommand: The flash file uses ActionScript fscommand to save or execute other files.
  • exe-embedded: The flash file seems to embed a Portable Executable in its body.
  • rar-embedded: The flash file seems to embed a RAR file in its body.
  • zip-embedded: The flash file seems to embed a ZIP file in its body.

  • Java JAR specific
  • pack200: JAR file that has been transformed into a compressed pack200 file.

  • PCAP specific
  • malware: PCAP that exhibits generic malware-related network flows.
  • trojan: PCAP that exhibits trojan-related network flows.
  • worm: PCAP that exhibits worm-related network flows.
  • shellcode: PCAP that contains shellcode used for exploitation purposes.
  • exploit-kit: PCAP that contains network flows related to some exploit kit, e.g. Blackhole.

  • Android specific
  • sends-sms: Android applications that send SMS messages when executed.
  • checks-gps: Android applications that check GPS locations when executed.
  • ext-prg: Android applications that launch external programs/commands when executed.
  • dyn-class: Android applications that dynamically load one or more classes when executed.
  • dyn-method: Android applications that dynamically call one or more methods.

  • ROM BIOS specific
  • flash: flash BIOS firmware volume.
  • efi: EFI firmware capsule.
  • uefi: UEFI firmware capsule.
  • intel-me: Intel ME firmware module.
  • dell-fps: Dell FPS firmware.
  • apple: Apple-related firmware.
  • contains-pe: ROM BIOS images that contain a Windows executable, not just a ROM PE, but rather a fully-fledged windows executable.
  • contains-drv: ROM BIOS images that contain a Windows driver.
submissions
s:
Any file typeFilter the files returned according to the number of times they were submitted to Google Threat Intelligence.
Examples: submissions:2, submissions:10+, submissions:20-, submissions:10+ submissions:20-
sourcesAny file typeFilter the files returned according to the number of distinct sources that submitted the file to Google Threat Intelligence, independently of whether any given source submitted the file more than once.
Examples: sources:2, sources:10+, sources:20-, sources:10+ sources:20-
submitterAny file typeFilters the files to be returned according to region of its submitter. ISO 3166-1-alpha-2 codes are used. You can also filter by the submission interface (web/api).
Examples: submitter:CN , submitter:web submitter:BR
first_submitterAny file typeFilters the files to be returned according to region of the first submitter. ISO 3166-1-alpha-2 codes are used.
Examples: first_submitter:ua
itwAny file typeReturn all those files that have been downloaded from a URL containing the literal provided.
Examples: itw:"www.google.com", itw:"&product_title=", itw:"https://sites.google.com/site/llgcyber/WKWK.zip?attredirects=0&d=1"
metadataAnyFilter the files returned according to metadata properties (if applicable). Finds all those files that have some (indexed) field containing the literal(s) provided, including data from:
  • Exiftool.
  • Headers of elf files.
  • The Path and GUID of the Portable Executable files.
  • Control metadata information of debian packages.
  • iTunes File Information, Property List Configuration Information and Mobile Provisioning profile of Iphone Application files.
  • File System Property List of dmg files.
  • Content metadata of bundled files.
  • Taggant packer information.
  • Office metadata.

Examples: metadata:"microsoft inc", metadata:uscourts,metadata:"ScanSoft PDF Create" , metadata:"3.2.5 (v119), Copyright © 2003-2015" , metadata:"Ubuntu Developers <ubuntu-devel-discuss@lists. ubuntu.com>"
androguardAndroid files: APKs, ODEX, DEX, AXML.Return all Android files whose Androguard output contains the literal provided.
Examples: androguard:"com.ON32233.Q2.GgActivity", androguard:"Time Out Bistro"
langPortable Executable (PE) and Documents (DOC, DOCX, PPT, ODT, etc.)In the case of Portable Executables it will return all those files that have at least one resource of the specified language. In the case of documents, it will find all those files whose Exif language property matches the language provided.
Examples:lang:farsi, lang:"portuguese brazilian", type:pdf lang:"es-ar"
For PEs these are the available languages: *neutral, invariant, afrikaans, albanian, arabic, armenian, assamese, azeri, basque, belarusian, bengali, bulgarian, catalan, chinese, croatian, czech, danish, divehi, dutch, english, estonian, faeroese, farsi, finnish, french, galician, georgian, german, greek, gujarati, hebrew, hindi, hungarian, icelandic, indonesian, italian, japanese, kannada, kashmiri, kazak, konkani, korean, kyrgyz, latvian, lithuanian, macedonian, malay, malayalam, manipuri, marathi, mongolian, nepali, norwegian, oriya, polish, portuguese, punjabi, romanian, russian, sanskrit, serbian, sindhi, slovak, slovenian, spanish, swahili, swedish, syriac, tamil, tatar, telugu, thai, turkish, ukrainian, urdu, uzbek, vietnamese, gaelic, maltese, maori, rhaeto_romance, saami, sorbian, sutu, tsonga, tswana, venda, xhosa, zulu, esperanto, walon, cornish, welsh, breton, neutral, default, sys default, arabic saudi arabia, arabic iraq, arabic egypt, arabic libya, arabic algeria, arabic morocco, arabic tunisia, arabic oman, arabic yemen, arabic syria, arabic jordan, arabic lebanon, arabic kuwait, arabic uae, arabic bahrain, arabic qatar, azeri latin, azeri cyrillic, chinese traditional, chinese simplified, chinese hongkong, chinese singapore, chinese macau, dutch, dutch belgian, english us, english uk, english aus, english can, english nz, english eire, english south africa, english jamaica, english caribbean, english belize, english trinidad, english zimbabwe, english philippines, french, french belgian, french canadian, french swiss, french luxembourg, french monaco, german, german swiss, german austrian, german luxembourg, german liechtenstein, italian, italian swiss, kashmiri sasia, kashmiri india, korean, lithuanian, malay malaysia, malay brunei darussalam, nepali india, norwegian bokmal, norwegian nynorsk, portuguese, portuguese brazilian, serbian latin, serbian cyrillic, spanish, spanish mexican, spanish modern, spanish guatemala, spanish costa rica, spanish panama, spanish dominican republic, spanish venezuela, spanish colombia, spanish peru, spanish argentina, spanish ecuador, spanish chile, spanish uruguay, spanish paraguay, spanish bolivia, spanish el salvador, spanish honduras, spanish nicaragua, spanish puerto rico, swedish, swedish finland, urdu pakistan, urdu india, uzbek latin, uzbek cyrillic, dutch surinam, romanian, romanian moldavia, russian, russian moldavia, croatian, lithuanian classic, gaelic, gaelic scottish, gaelic manx.
In the case of documents, it is really up to the tool generating the corresponding Exif metadata property what the language can be, hence, you may try searching using the full language name (e.g. Spanish) or its ISO code (e.g. es-ar).
signaturePortable Executables (PE), Mach-OFilter the files returned according to sigcheck fields. Finds all those files that have some sigcheck/codesign (PE signature, Apple code signing) field containing the literal(s) provided.
Example: sigcheck:"google inc", sigcheck:"Google Update Setup", sigcheck:"Thawte Premium Server CA"
creation_date
generated
gen
pets
petimestamp
Filter according to their compilation timestamp.
Example: creation_date:2018-08-21T18:18:38
subspanAny file typesFilter Portable Executables according to the difference (in seconds) between the first submission time and the compilation timestamp (submission span). Can be used for attack attribution purposes.
Example: subspan:100-
segmentMach-OsReturn executables having a segment with the name provided.
Example: segment:"__LINKEDIT".
sectionPortable Executables (PE), ELFs, Mach-OsReturn executables having a section with the name or md5 hash provided.
Example: section:".xxx", sectionmd5:d41d8cd98f00b204e9800998ecf8427e
importsPortable Executables (PE), ELFs, Mach-Os, IPAs, JARs, Java bytecodeReturn all those executables importing the given library.
Examples: imports:"crypt32.dll"
exportsPortable Executables (PE), ELFs, Java bytecodeReturn all those executables exporting the function with the name provided.
Examples: exports:"_FormMain"
behaviour
behavior:
Any file type with behavioral reportReturn all those Portable Executables, MacOS or Android APKs whose dynamic behavioral report contains the literal provided.
Examples: behaviour:"explorer.exe", behaviour:"HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable", behaviour:"www.go2000.cn", behaviour:"CTF.LBES.MutexDefaultS-1-5-21-1275210071-920026266-1060284298-1003"
behavior_files
behaviour_files
Any file type with behavioral reportChanges related to the filesystem.
Example: behaviour_files:Crack
behavior_processes
behaviour_processes
Any file type with behavioral reportRelated to any process fields such as processes_killed, processes_terminated, command_executions, injected_processes
Example: behavior_processes:"calc.exe"
behavior_injected_processes
behaviour_injected_processes
Any file type with behavioral reportRelated to injected processes.
Example:behaviour_injected_processes:calc.exe
behavior_created_processes
behaviour_created_processes
Any file type with behavioral reportRelated to created processes.
Example:behaviour_created_processes:cmd.exe
behavior_registry
behaviour_registry
Any file type with behavioral reportModifications related to the Windows registry.
Example:behavior_registry:dc971ee5-44eb-4fe4-ae2e-b91490411bfc
behavior_services
behaviour_services
Any file type with behavioral reportObservations related to services and daemons.
Example:behavior_services:TheService
behavior_tags
behaviour_tags
Any file type with behavioral reportTags generated by sandboxes (Full list of behaviours_tags).
Example:behavior_tags:tag
behavior_network
behaviour_network:
Any file type with behavioral reportRelated to networks.
Examples:behaviour_network:www.goooo behaviour_network:update.iobit.com/dl/
behashAny file type with behavioral reportBehavior Similarity Hashes.
Examples:behash:d4e0fb08ee8b4e9e12641a14d5dc04ae
sandbox_namesearch for specific sandbox name:
Example:sandbox_name:VirusTotal
List of sandboxes:
  • bitdam_atp
  • c2ae
  • cyber_adapt
  • das_security_orcas
  • dr.web_vxcube
  • elf_digest
  • f_secure_sandbox
  • lastline
  • malwation
  • microsoft_sysinternals
  • nsfocus_poma
  • os_x_sandbox
  • qianxin_reddrip
  • reaqta_hive
  • rising_moves
  • sangfor_zsand
  • secneurx
  • secondwrite
  • sndbox
  • tencent_habo
  • venuseye_sandbox
  • virustotal_androbox
  • virustotal_box_of_apples
  • virustotal_cuckoofork
  • virustotal_droidy
  • virustotal_jsbox
  • virustotal_jujubox
  • virustotal_observer
  • virustotal_r2dbox
  • vmray
  • yomi_hunter
  • zenbox
  • zenbox_android
  • zenbox_linux
trafficPacket Captures (PCAPs)Searches within a limited subset of URLs, host names and IP addresses observed in the capture file, such that you may filter, for example, network traces containing a given domain.
Example: traffic:"google.com"
similar-toPortable Executables (PE), PDFs, MS Office documents, Flash SWFs, RTFs.Return all those Portable Executables that are structurally similar to the one provided.
Examples: similar-to:7f71a98e67c61d7a0786fcfcb2c884b8acd26f5378dab5a786ae8a38d6b7b87e, similar-to:df9772a80d3da048b928623c3819dec5defb7840, similar-to:19b86fe81df05de2b4207e8eb0c3aa40
ssdeepAny file typeReturn all those files that are similar to the one having the ssdeep hash provided.
Example: ssdeep:"24576:KrKqlGCPcJKwybUDwEZZODYmR9G+gnbkk6XRJfe3DqYO/KpLwFfngWX4VmJPakl:KrKo4ZwCOnYjVmJPaO"
imphashPortable Executables (PE)Return all those Portable Executables with the given import hash, can be used to identify samples belonging to the same family.
Example: imphash:7fa974366048f9c551ef45714595665e
vhashPortable Executables (PE)Return all those files with the given vhash provided.
Example: vhash:01603e0f7d501013z11z39z15z1011z1011z19z
telfhashPortable Executables (PE)Return all those files with the given telfhash provided.
Example:telfhash:"t12ab138722e7558f8b7f08402425a7620ce39e027259439b71ef2b454f7f2c429b6ad7a 50"
contentAny file typeSearch for string or binary content within a file. The syntax is similar to YARA content strings.
One caveat is that content search queries cannot be sorted.
Examples:content:"Hello World!", content:{CAFEBABE}
contacted_ipAny file typeReturn all those files that have contacted with the IP/Subnet provided.
Examples:contacted_ip:162.158.0.0/15
haveAny file typeFilter the resources which report contains information from the selected fields.
Examples: have:embedded_domains have:embedded_urls have:behaviour
Available fields: androguard, authentihash, behavior, behavior_files, behavior_network, behavior_processes, behavior_registry, behavior_services, behaviour, behaviour_files, behaviour_network, behaviour_processes, behaviour_created_processes , behaviour_injected_processes, behaviour_registry, behaviour_services, bundled_file, bundled_files, capability_tag, capability_tags, carbonblack_parents, ciphered_parents, clue_rule, clues, comment, comments, compressed_parents, contacted_domain, contacted_domains, contacted_ip, contacted_ips, contacted_url, contacted_urls, creation_date, crowdsourced_ids, crowdsourced_yara_rule, dropped_file, dropped_files, email_attachment, email_attachments, email_parents, embedded_domains, embedded_ips, embedded_urls, entry_point, ep, evtx, execution_parents, exports, gen, generated, imphash, imports, in_the_wild, itw, itw_domain, itw_domains, itw_url, itw_urls, ja3_digest, ja3_digests, lang, language, main_icon_dhash, main_icon_md5, malware_config, memdump, metadata, netguid, overlay_children, overlay_parents, packer, packers, parent, parents, pcap, pcap_children, pcap_parents, peresource, pe_resource_children, pe_resource_parents, permhash, petimestamp, pets, sandbox_name, scan_timeout, screenshot, screenshots, section, sectionmd5, sections, segment, segments, sigcheck, sigma_rule, sigma_rules, signature, signatures, tag, tags, tlsh, traffic, urls_for_embedded_js
commentAny file typeSearch for string in the comments section:
Example:comment:"#math_entropy_close_8"
comment_authorAny file typeSearch for resources that have any comment from the specific user.
Example:comment_author:javilinux
clue_ruleAny file typeSearches all files matching a specific VT Clue rule.
Example:clue_rule:1bd7d049d5d2d9b6a9ba92814d5e59f6ee1ccd45c2f3a9b0346e809e7e60fe07
crowdsourced_yara_ruleAny file typeFilters the files that match a crowdsourced YARA rule. You can search either using a rule’s name or using both ruleset’s ID and rule’s name.
Examples: crowdsourced_yara_rule:Imphash_Malware_2_TA17_293A crowdsourced_yara_rule:Nanocore [crowdsourced_yara_rule:000554a6bb|SUSP_XORed_URL_in_EXE](https://www.virustotal.com/gui/search/crowdsourced_yara_rule%253A000554a6bb%257CSUSP_XORed_URL_in_EXE/files) [crowdsourced_yara_rule:0024b0b651|WinLock](https://www.virustotal.com/gui/search/crowdsourced_yara_rule%253A0024b0b651%257CWinLock/files)
crowdsourced_idsAny file typeFilters the files that match a crowdsourced IDS rule. You can search either using a rule's name or ruleset's ID
Examples: crowdsourced_ids:"MALWARE-CNC Win.Trojan.Occamy variant outbound connection" crowdsourced_ids:48084
sigma_critical
sigma_high
sigma_medium
sigma_low
Any file typeNumber of matched sigma rules of the different levels (critical/high/medium/low).
Examples: sigma_critical:1+ sigma_high:1+ sigma_medium:1+ sigma_low:1+
sigma_ruleAny file typeFilters the files that match a Sigma rule.
Examples: sigma_rule:30fcf3924a898a9d1747e89068ab2990c77ca3914a94aa78466d28a9d9da32bb
enginesAny file typeFilters the files according to Malware family name on the antivirus results (no matter which particular engine produced the output).
Example: "Trojan.Isbar"
You can also filter files according to specific engines detections, check the details at: Identifying files according to antivirus detections
min_engines_{verdict}Any file typeFilters files based on the number of engines providing an specific verdict.
Example: min_engines_banker:5 min_engines_emotet:10
peresourcePortable Executables (PE)Filters the files according to the hash associated with the contained resource.
Example: peresource:3de7cf1214054541d9b57cc2ab8d5e85516a0ac274b9d9213a07cd6e8e70a138
attack_techniqueAny file typeFilters the files according to the Mitre Att&ck technique.
Example: attack_technique:T1055
attack_tacticAny file typeFilters the files according to the Mitre Att&ck tactic.
Example: attack_tactic:TA0003
tridAny file typeTrIDis a utility designed to identify file types from their binary signatures. It may give several detections, ordered by higher to lower probability of file format identification (given as percentage).
Example: trid:"InstallShield setup"
tlshAny file typeIt is a hash used byTrend Micro which can be used for similarity comparisons.
Example: tlsh:T1F0B12349F49722D219B3707D3BBF920476A6454F0D48CD44742D7984AF1CF2BB8BA2CA
permhashAPKs, CRXs and their manifestsFilter APKs, CRXs and their manifests based on their permhash.
Example: permhash:9126f12ce5d0e610bb74da304b6bd0cd648428e59e74326fbd5affaa70d2257e
detectiteasyMSDOS, PE, ELF, MACH and BinaryIt is a program for determining types of files.
Example: detectiteasy:"Compiler: Microsoft Visual C/C++ (2015 v.14.0)"
malware_configAny file typeFilter files according to the malware configuration.
Example:malware_config:dcscmin\imdcsc.exe
codeinsightAny file typeSearches among all the Sec-PaLM AI analyses of the file.
Example: codeinsight:keylogger
crowdsourced_ai_analysisAny file typeSearches among all the AI analyses of the file.
Example: crowdsourced_ai_analysis:"is malicious"
crowdsourced_ai_verdictAny file typeSearches among all the AI verdicts of the file.
Example: crowdsourced_ai_verdict:benign
xxx_ai_analysisAny file typeSearches a specific source's AI analysis.
Right now xxx can be hispasec and nics.
Example: nics_ai_analysis:"is malicious"
xxx_ai_verdictAny file typeSearches a specific source's AI verdict.
Example: hispasec_ai_verdict:benign
threat_actor
related_actor
Any file typeSearches for IoCs which have that related threat actor.
Example: threat_actor:"Lazarus Group"
gti_scoreAny file typeGoogle Threat Intelligence assessment threat score.
Example: gti_score:30+"
gti_severityAny file typeGoogle Threat Intelligence assessment severity of the IOC.
Example: gti_severity:high"
gti_verdictAny file typeGoogle Threat Intelligence assessment verdict of the IOC.
Example: gti_verdict:benign"
behaviour_signature
behavior_signature
Any file typeSearch for behavior signature matches on rule names and descriptions..
Example: behaviour_signature:"linking/runtime-linking" behaviour_signature:"create process on Windows"
mbcAny file typeSearch by MBC ID.
Example: mbc:C0002
attributionAny file typeSearch by malware family based on the verdicts provided by the data sources available in VirusTotal. Attribution can be of 3 types: malwares , actors or campaigns
Example: attribution:apt15