Early access: New content posts daily — updates are frequent and you may notice work in progress.
OSINTBench
Tools threat intelligence ·network recon VirusTotal
VirusTotal logo

VirusTotal Review

Multi-engine malware scanner and threat intelligence platform for files, URLs, IPs, and domains

4.5/5
freemium Free / Premium from $10,000+/year (enterprise) Professional Standard review Reviewed 2026-04-03
Affiliate disclosure: OSINTBench may earn a commission if you purchase through links on this page, at no extra cost to you. Affiliate relationships do not influence our ratings or recommendations. Full policy →

Quick Verdict

Security researchers, incident responders, and OSINT investigators who need to analyze suspicious files, URLs, and infrastructure without executing them in their own environment — and who want confirmation across multiple AV engines before acting on a finding

Pros

  • + 70+ antivirus engines scan every submission simultaneously — no single vendor blind spot
  • + Behavioral analysis sandbox shows what a file actually does when executed: process creation, network connections, file system changes
  • + Relationship graph connects files, URLs, domains, and IPs — trace malware infrastructure across submissions
  • + Community comments and detection context help distinguish true positives from false alarms
  • + Free tier is useful for most investigations — 500 lookups/day via API, unlimited manual searches
  • + Historical data: see scan history, past detections, previous relationships for any indicator

Cons

  • Submitting files to VirusTotal makes them publicly accessible to security researchers — don't submit sensitive documents
  • Free API is rate-limited (4 lookups/minute) and doesn't include all enrichments available in the web interface
  • Enterprise/premium pricing is extremely expensive — not viable for individual researchers
  • Detection rate alone is misleading — a file with 0/70 detections isn't necessarily clean
  • Behavioral sandbox availability varies — not every file gets dynamic analysis
Visit VirusTotal →

What VirusTotal Is

Introduction to VirusTotal

VirusTotal analyzes files, URLs, domains, and IP addresses. The analysis is performed by over 70 antivirus engines and behavioral tools. You can upload a file or paste a URL, and seconds later, you receive results from every major AV vendor, along with sandbox data on how the file behaves in isolation.

The platform serves as a go-to tool for initial triage, and it is backed by Google via Chronicle. Researchers, responders, and analysts use it daily to investigate potential threats. You can use it too.

The Core Use Cases

Checking Suspicious Files Before Opening

Please provide the frontmatter and MDX content you'd like me to humanize.

If you provide the content, I can assist you with rewriting it according to the specified voice and style guidelines. You can paste the content here, and I'll get started. Please ensure that you include all relevant sections, such as tables, code blocks, and links, so I can preserve them accurately in the output.

(Please paste the content)

shasum -a 256 suspicious-file.exe  # macOS/Linux

Paste the hash into VirusTotal's search bar.

Checking URLs Before Visiting

Paste a URL into VirusTotal and it checks reputation databases, scans content, flagging phishing, malware, and other threats.

You use it to vet links from unknown sources, suspected phishing sites, or IPs serving malicious content.

Infrastructure Analysis

VirusTotal does more than scan malware. Search an IP address or domain and you get a history. The history includes files that have communicated with it, URLs hosted on it, WHOIS and DNS records over time, certificates issued for it, and other indicators it's been tied to.

The IP history also includes malware associations. Shodan and SecurityTrails offer similar information, but without the malware context. If an IP ran a malware campaign or was a C2 server, VirusTotal knows.

Relationship Graphs

Relationship Graph

The relationship graph displays connections between indicators, starting with a suspicious file. It reveals the domains the file communicates with. These domains are linked to specific IPs. The hosting history of those IPs can then be examined. Code signatures matching known malware can also be searched.

Graph analysis is useful for tracking threat actors and investigating malware campaigns. Previously, this required expensive threat intelligence platforms. VirusTotal now provides a functional version for free, featuring connections between indicators such as domains, IPs, and code signatures.

Reading Detection Results

Detection Results in VirusTotal

Reading a VirusTotal detection result requires care. A verdict cannot be determined from "15/70 detected" or "0/70 detected".

High detection counts, 30 or more out of 70, usually indicate trouble, as major AV vendors tend to agree on those.

Medium counts, between 5 and 30, are suspicious and warrant a check of which vendors are flagging it. If vendors like Kaspersky, ESET, Microsoft, or Bitdefender are flagging it, that's a credible hit.

Low counts, 1 to 5, are ambiguous and could be a true positive or a false alarm. Community comments can help in such cases.

Zero detections are common for targeted or new malware, but this does not mean the file is clean. It means signature databases do not know it yet, and behavioral analysis is more useful here.

Community comments are important, as researchers share insights, explain detections, call out false positives, and identify campaigns or malware families.

That's it.

The Privacy Problem with File Submission

Files hit VirusTotal. They get shared. AV vendors, premium subscribers, and security researchers see them. That's how new malware gets discovered.

You should not submit sensitive information. Hashes are safer. You compute the hash on your end, search for it, and get results, no file needed.

Visiting URLs via VirusTotal's scanner broadcasts your interest to VirusTotal and its partners. For sensitive operations, use hash and URL lookups instead.

API Access

VirusTotal's free API allows 4 lookups per minute, with 500 lookups per day. File submissions are available up to 32MB, along with basic metadata.

For bulk lookups, the free API is sufficient. The official Python library, vt-py, handles the integration, and you can script it.

import vt

## Using the VirusTotal API to Fetch File Information
### A Simple Python Script

You need an API key. Replace "YOUR_API_KEY" with your actual key.

The code below shows how to fetch file information.

```python
client = vt.Client("YOUR_API_KEY")
file_info = client.get_object("/files/{hash}")
print(file_info.last_analysis_stats)
client.close()

How It Works

VirusTotal exposes an API. You use it to query their database. The client object connects to VirusTotal. The get_object method fetches a file's metadata by its hash. The last_analysis_stats property contains the results.

Essential Steps

You get an API key. Then, you make a client object. Next, you query a file hash. Finally, you print the stats.

Example Response

The last_analysis_stats dictionary contains several keys. These include malicious, suspicious, timeout, and failure. Malicious is the number of engines that flagged the file as malicious. Suspicious is the number of engines that flagged the file as suspicious. Timeout is the number of engines that timed out during analysis. Failure is the number of engines that failed to analyze the file. Operators care about these numbers. You do too. The keys are: malicious, suspicious, timeout, failure.

Code Notes

Keep your API key secure. Do not hard-code it in scripts you share. Use a try-except block to handle API errors.

try:
    client = vt.Client("YOUR_API_KEY")
    file_info = client.get_object("/files/{hash}")
    print(file_info.last_analysis_stats)
except vt.errors.APIError as e:
    print(f"API error: {e}")
finally:
    client.close()

Comparison to Alternatives

Malware Sandboxes

VirusTotal's sandbox has limits. For deeper behavioral analysis, you need more.

Any.run offers more detail than VirusTotal, it's free for basic use. A good supplement when VirusTotal's data isn't enough.

Hybrid Analysis, also known as Falcon Sandbox, is another free option. It provides more detailed reports than VirusTotal.

Joe Sandbox leads in detailed reporting, used by enterprise teams. They offer free public submissions, but with limited detail.

URL and Domain Analysis

urlscan.io focuses on URLs and domains. It outdoes VirusTotal in web infrastructure investigation. The two complement each other, VirusTotal and urlscan.io.

Triage Workflow

VirusTotal is your first stop for suspicious indicators. When VirusTotal's results are inconclusive, use Any.run or Hybrid Analysis for deeper analysis.

Reviewed April 2026. Tool available at virustotal.com.

See Also

Threat Hunting with OSINT

Threat hunting relies on OSINT. You need to know what's out there before you can track it.

Hunting with Search Engines

Shodan indexes internet infrastructure, including servers, cameras, routers, and industrial control systems. Anything listening on an open port gets catalogued. Banners tell you what's running, version numbers, sometimes config details. This information provides OSINT value, as you know what a target has exposed before you ever send a packet their way. Operators often miss things, and dev servers get forgotten.

Censys does similar work, with a focus on certificate data. You'll find hosts that way. SSL certs are easy to scan, and misconfigs get exposed.

Network Scanning Tools

Nmap scans ports quickly and accurately, and is scriptable. You control the scan, what to probe, and how to probe. Output goes to XML, greppable text, or your custom script.

Masscan performs large scans, covering thousands of hosts and all ports, with hourly reports.

ZMap is another option for large-scale scanning, allowing you to decide what to scan.

Threat Intel Platforms

Maltego offers graph-based analysis. You start with an IP and see related hosts, understand relationships. Mappers help visualize and investigate lateral movement.

ThreatQuotient integrates threat data, providing context and helping you prioritize incidents. Their UI is effective.

DNS and WHOIS Tools

Dnsrecon performs deep DNS enumeration, extracting records and finding subdomains. It's used for reconnaissance.

Whoxy does WHOIS lookups quickly and simply, providing registrant information.

OSINT Frameworks

Metagoofil searches documents for exposed data that is publicly accessible, finding sensitive information.

Spiderfoot automates OSINT by querying APIs, scraping sites, and correlating data.

Choosing Your Tools

No single tool does it all. You pick based on your needs. Budget is a factor. Some tools are free; others cost. Shodan's free tier limits you. Censys has free access too, but it's limited.

Start small, scale as needed, and test tools. Threat hunting improves.

Next Steps

Learn each tool, practice, and threat hunting gets better. Combine tools to improve results.

See also: Best Threat Hunting Tools, Domain and IP OSINT Guide.

Further Reading

Tool Relationships

Feeds into IntelOwl 4.2/5 Feeds into MISP 4.4/5 Feeds into OpenCTI 4.3/5 Feeds into Maltego 3.5/5 Complements Shodan 4.7/5

Similar Tools

Shodan

Search engine for internet-connected devices — find exposed servers, industrial systems, and network infrastructure worldwide.

4.7/5 freemium

urlscan.io

Free website scanner that captures full-page screenshots, network requests, and DOM snapshots for any URL

4.6/5 freemium

C2 Tracker

A live C2 infrastructure feed that helps defenders hunt, block, and correlate active command-and-control servers by framework type.

4.3/5 free

Web Check

Paste a URL and get DNS records, SSL details, security headers, tech stack, WHOIS, and 100+ more domain intelligence checks in a single browser view — in under thirty seconds.

4.3/5 free

Community Rating

Ratings from security researchers. No third-party tracking.

☆☆☆☆☆
No ratings yet

Rate this tool:

This review reflects testing as of 2026-04-03. OSINT tools change frequently — check the vendor's current documentation for pricing and feature updates. Report an error →

View VirusTotal on Wayback Machine →