URLs doesn't only represent information by themselves, but also can give contextual information about files and other elements on VT.

Different URL calls may return different URL-related objects that we list here.

Object Attributes

categories: <dictionary> they key is the partner who categorised the URL and the value is the URL's category according to that partner.
favicon : <dictionary> dictionary including difference hash and md5 hash of the URL's favicon. Only returned in premium API.
- dhash: <string> difference hash
- raw_md5: <string> favicon's MD5 hash.
first_submission_date: <integer> UTC timestamp of the date where the URL was first submitted to Google Threat Intelligence.
gti_assessment*: <dictionary> containing the following fields:
- verdict: <dictionary>. The value property can have any of these values:
  - VERDICT_BENIGN: the entity is considered harmless.
  - VERDICT_UNDETECTED: no immediate evidence of malicious intent.
  - VERDICT_SUSPICIOUS: possible malicious activity detected, requires further investigation.
  - VERDICT_MALICIOUS: high confidence that the entity poses a threat.
  - VERDICT_UNKNOWN: we were not able to generate a verdict for this entity.
- severity: <dictionary>. The value property can have any of these values:
  - SEVERITY_NONE: this is the level assigned to entities with non-malicious verdict.
  - SEVERITY_LOW: the threat likely has a minor impact but should still be monitored
  - SEVERITY_MEDIUM: indicates a potential threat that warrants attention.
  - SEVERITY_HIGH: immediate action is recommended; the threat could have a critical impact
  - SEVERITY_UNKNOWN: not enough data to assess a severity.
- description: <string> a human readable description of the factors contributing to the verdict and severity classification.
- threat_score: <int> the Google Threat Intelligence score is a function of the Verdict and Severity, and leverages additional internal factors to generate the score. Valid values go from 0 to 100.
- contributing_factors: <dictionary> the signals that contributed to the verdict and severity classification.
  - mandiant_analyst_benign: <bool> the indicator was determined as benign by a Google Threat Intelligence analyst and likely poses no threat.
  - mandiant_analyst_malicious: <bool> it was determined as malicious by a Google Threat Intelligence analyst.
  - google_malware_analysis: <bool> it was detected by Google Threat Intelligence's malware analysis.
  - google_botnet_emulation: <bool> it was detected by Google Threat Intelligence's botnet analysis.
  - google_mobile_malware_analysis: <bool> it was detected by Google Threat Intelligence's mobile malware analysis.
  - google_malware_similarity: <bool> it was detected by Google Threat Intelligence's malware analysis.
  - google_malware_analysis_auto: <bool> it was detected by Google Threat Intelligence's malware analysis.
  - mandiant_association_report: <bool> it is associated with a Google Threat Intelligence Intelligence Report.
  - mandiant_association_actor: <bool> it is associated with a tracked Google Threat Intelligence threat actor.
  - mandiant_association_malware: <bool> it is associated with a tracked Google Threat Intelligence malware family
  - mandiant_domain_hijack: <bool> the domain was recently determined as malicious by a Google Threat Intelligence analyst.
  - mandiant_osint: <bool> it is considered widespread.
  - safebrowsing_verdict: <bool> Google Safebrowsing verdict.
  - gavs_detections: <int> number of detections by Google’s spam and threat filtering engines.
  - gavs_categories: <list of strings> known threat categories.
  - normalised_categories: <list of strings> known threat categories.
  - legitimate_software: <bool> the indicator is benign. It is associated with a well-known and trusted software distributor and likely poses no threat.
  - matched_malicious_yara: <bool> matches YARA rules.
  - malicious_sandbox_verdict: <bool> it was detected by sandbox analysis, indicating suspicious behavior.
  - associated_reference: <bool> it appears in public sources.
  - associated_malware_configuration: <bool> contains known malware configurations.
  - associated_actor: <bool> it is associated with a community threat actor.
  - high_severity_related_files: <bool> related files are marked as malicious (high severity).
  - medium_severity_related_files: <bool> related files are marked as malicious (medium severity).
  - low_severity_related_files: <bool> related files are marked as malicious (low severity).
  - pervasive_indicator: <bool> related files have been seen in OSINT sources.
gti_confidence_score: <int> the Google Threat Intelligence confidence score of the indicator. This score uses a probabilistic model to weight different signals. It expresses the confidence we have in an indicator being malicious (values closer to 100) or benign (values closer to 0). It's an additional signal used to determine the gti_assessment.verdict field.
- Values Above 95 are considered malicious and analysts should prioritize investigation.
- Values above 80 are considered malicious.
- Values between 60 and 80 are considered suspicious.
- Values between 20-60 mean we don't have signals to say the file is malicious or benign. This is equivalent to the verdict undetected.
- Values below 20 mean the IoC can be considered benign or noisy.
mandiant_confidence_score: <int> this is a similar probabilistic score, like the gti_confidence_score above, but is only available in a subset of IoCs. It's in the process of being deprecated in favor of gti_confidence_score.
html_meta: <dictionary> containing all meta tags (only for URLs downloading a HTML). Keys are the meta tag name and value is a list containing all values of that meta tag.
last_analysis_date: <integer> UTC timestamp representing last time the URL was scanned.
last_analysis_results: <dictionary> result from URL scanners. dict with scanner name as key and a dict with notes/result from that scanner as value.
- category: <string> normalized result. can be:
  - "harmless" (site is not malicious),
  - "undetected" (scanner has no opinion about this site),
  - "suspicious" (scanner thinks the site is suspicious),
  - "malicious" (scanner thinks the site is malicious).
- engine_name: <string> complete name of the URL scanning service.
- method: <string> type of service given by that URL scanning service (i.e. "blacklist").
- result: <string> raw value returned by the URL scanner ("clean", "malicious", "suspicious", "phishing"). It may vary from scanner to scanner, hence the need for the "category" field for normalisation.
last_analysis_stats: <dictionary> number of different results from this scans.
- harmless: <integer> number of reports saying that is harmless.
- malicious: <integer> number of reports saying that is malicious.
- suspicious: <integer> number of reports saying that is suspicious.
- timeout: <integer> number of timeouts when checking this URL.
- undetected: <integer> number of reports saying that is undetected.
last_final_url: <string> if the original URL redirects, where does it end.
last_http_response_code: <integer> HTTP response code of the last response.
last_http_response_content_length: <integer> length in bytes of the content received.
last_http_response_content_sha256: <string> URL response body's SHA256 hash.
last_http_response_cookies: <dictionary> containing the website's cookies.
last_http_response_headers: <dictionary> containing headers and values of last HTTP response.
last_modification_date: <integer> UTC timestamp representing last modification date.
last_submission_date: <integer> UTC timestamp representing last time it was sent to be analysed.
outgoing_links: <list of strings> containing links to different domains.
redirection_chain: <list of strings> history of redirections followed when visiting a given URL. The last URL of the chain is not included in the list since it is available at the last_final_url attribute.
reputation: <integer> value of votes from VT community.
tags: <list of strings> tags.
targeted_brand: <dictionary> targeted brand info extracted from phishing engines.
times_submitted: <integer> number of times that URL has been checked.
title: <string> webpage title.
total_votes: <dictionary> containing the number of positive ("harmless") and negative ("malicious") votes received from VT community.
- harmless: <integer> number of positive votes.
- malicious: <integer> number of negative votes.
trackers: <dictionary> contains all found trackers in that URL in a historical manner. Every key is a tracker name, which is a dictionary containing:
- id: <string> tracker ID, if available.
- timestamp: <integer> tracker ingestion date as UNIX timestamp.
- url: <string> tracker script URL.
url: <string> original URL to be scanned.
has_content: <boolean> Whether the url has content in it.

⚠️
gti_assessment attribute
To get the gti_assessment attribute in the JSON response, ensure that the x-tool header is added to the request headers. This header should be used to identify your tool or service with a custom name.

Relationships

In addition to the previously described attributes, URL objects contain relationships with other objects in our dataset that can be retrieved as explained in the Relationships section. The available relationships are described bellow.

Relationship	Description	Accessibility	Return object type
analyses	Analyses for the URL.	Google TI users only.	List of Analyses.
associations	URL's associated objects (reports, campaigns, IoC collections, malware families, software toolkits, vulnerabilities, threat-actors), without filtering by the associated object type.	Everyone.	List of reports, campaigns, IoC collections, malware families, software toolkits, vulnerabilities, threat-actors objecs.
campaigns	Campaigns associated to the URL.	Google TI Enterprise and Enterprise Plus users only.	List of collections of type Campaign.
collections	IoC Collections associated to the URL.	Everyone.	List of collections of type IoC Collection.
comments	Community posted comments about the URL.	Everyone.	List of Comments.
communicating_files	Files that communicate with a given URL when they're executed.	Google TI users only.	List of Files.
contacted_domains	Domains from which the URL loads some kind of resource.	Google TI users only.	List of Domains.
contacted_ips	IPs from which the URL loads some kind of resource.	Google TI users only.	List of IP addresses.
downloaded_files	Files downloaded from the URL.	Google TI users only.	List of Files.
embedded_js_files	JS files embedded in a URL.	Google TI users only.	List of Files.
graphs	Graphs including the URL.	Everyone.	List of Graphs.
http_response_contents	TTP response contents from the URL.	Google TI users only.	List of Files.
last_serving_ip_address	Last IP address that served the URL.	Everyone.	A single IP address.
malware_families	Malware families associated to the URL.	Google TI Enterprise and Enterprise Plus users only.	A list of collections of type malware family.
memory_pattern_parents	Files having a domain as string on memory during sandbox execution.	Google TI users only.	List of Files.
network_location	Domain or IP for the URL.	Everyone.	A single IP address or Domain.
parent_resource_urls	Returns the URLs where this URL has been loaded as resource.	Google TI users only.	A list of URLs.
redirecting_urls	URLs that redirected to the given URL.	Google TI users only.	A list of URLs.
redirects_to	URLs that this url redirects to.	Google TI users only.	A list of URLs.
referrer_files	Files containing the URL.	Google TI users only.	A list of Files.
referrer_urls	URLs referring the URL.	Google TI users only.	A list of URLs.
related_collections	Returns the Collections of the parent Domains or IPs of this URL.	Google TI Enterprise and Enterprise Plus users only.	List of IoC Collections.
related_comments	Community posted comments in the URL's related objects.	Everyone.	A list of Comments.
related_reports	Reports that are directly and indirectly related to the URL.	Google TI Enterprise and Enterprise Plus users only.	List of collections of type Reports.
related_threat_actors	URL's related threat actors.	Google TI Enterprise and Enterprise Plus users only.	List of Threat Actors.
reports	Reports directly associated to the URL.	Google TI Enterprise and Enterprise Plus users only.	A list of Reports.
software_toolkits	Software and Toolkits associated to the URL.	Google TI Enterprise and Enterprise Plus users only.	A list of Software and Toolkits.
submissions	URL's submissions.	Google TI users only.	A list of Submissions.
urls_related_by_tracker_id	URLs that share the same tracker ID.	Google TI users only.	A list of URLs.
user_votes	URL's votes made by current signed-in user.	Everyone.	A list of Votes.
votes	Votes for the URL.	Everyone.	A list of Votes.
vulnerabilities	Vulnerabilities associated to the URL.	Google TI Enterprise and Enterprise Plus users only.	A list of Vulnerabilities.