VirusTotal

VirusTotal is the internet's most widely used multi-engine malware analysis platform, aggregating scanning results from over 70 antivirus engines, URL scanners, and sandbox services. It supports analysis of files, URLs, domains, and IP addresses, and is used daily by security analysts, malware researchers, threat hunters, and OSINT investigators.

What investigators use VirusTotal for: checking whether a file, URL, or IP has been flagged as malicious, researching infrastructure associated with threat actors, pivoting between related indicators of compromise, identifying malware families, and tracking when a domain or IP first appeared in threat feeds.

What data VirusTotal exposes: detection ratios from dozens of antivirus engines, sandbox behavioral reports, passive DNS data showing domains and IPs that resolved to each other historically, WHOIS registration details, SSL certificate chains, file metadata and hashes, and community comments from analysts who have investigated the same indicators.

The graph feature is one of VirusTotal's most powerful OSINT tools. Starting from a file hash, you can pivot to the domain that distributed it, then to other files served from that domain, then to IP addresses the domain resolved to, and then to other domains hosted on those IPs. This technique links together malware campaigns that would otherwise appear unrelated.

For URL and domain investigations: submit a suspicious URL to get a screenshot of the page, HTTP response headers, redirects, and detection verdicts. Domains with a history of malicious activity retain that context even after the malicious content is removed, making VirusTotal useful for assessing whether a domain was previously weaponized.

API access: VirusTotal's public API allows 500 lookups per day with a free account. Intelligence features, retrohunting, and higher API quotas require a premium subscription. Most OSINT investigations can be conducted within the free tier.

In a workflow: use VirusTotal as a first-pass triage tool for any suspicious indicator. If a URL or file is detected, pivot to the related infrastructure graph to identify the broader campaign. Cross-reference findings with Shodan for exposed services and Pulsedive for additional threat intelligence context. Always check the detection timeline — first-seen dates help establish when infrastructure was set up.