Getting full file analysis report

Kaspersky Threat Intelligence Portal provides an API for getting the full analysis results of a file previously submitted to the Sandbox in the web interface.

The full report is available only if the Get a full dynamic analysis report check box was selected while submitting the file. The check box is available after signing in with Kaspersky Account.

You can use the scan/file method to obtain the file hash (MD5, SHA1, SHA256).

Request

Request method: POST

Endpoint: https://opentip.kaspersky.com/api/v1/getresult/file

Query parameter: request—Hash for which you want to get the analysis results.

cURL command sample:

curl --request POST 'https://opentip.kaspersky.com/api/v1/getresult/file?request=<file hash> --header 'x-api-key: <API token>'

Here:

<file hash>—The hash of the file that you want to get analysis results for.
<API token>—The API token that you requested in the web interface.

Responses

200 OK

Request processed successfully.

Endpoint returns a JSON object that contains basic information about the previously analyzed file.

200 OK response parameters

Parameter	Type	Description
`Status`	string	File analysis status. Available values: `in progress`—The file is still being analyzed. `complete`—The file analysis successfully completed. `not started`—The file has not been previously submitted for analysis.
`Zone`	string	Color of the zone that a file belongs to. Available values: `Red`—The file can be classified as Malware. `Yellow`—The file is classified as Adware and other (Adware, Pornware, and other programs). `Green`—The file has the Clean or No threats detected status. The No threats detected status is applied if the file was not classified by Kaspersky, but it was previously scanned and/or analyzed, and no threats were detected at the time of the analysis. `Grey`—No data or not enough information is available for the file.
`FileGeneralInfo`	object	General information about the requested hash.
`FileStatus`	string	Status of the submitted file (Malware, Adware and other, Clean, No threats detected, or Not categorized).
`Sha1`	string	SHA1 hash of the file requested by the hash.
Md5	string	MD5 hash of the file requested by the hash.
`Sha256`	string	SHA256 hash of the file requested by the hash.
`FirstSeen`	string <date-time>	Date and time when the requested hash was detected by Kaspersky expert systems for the first time.
`LastSeen`	string <date-time>	Date and time when the requested hash was detected by Kaspersky expert systems for the last time.
`Signer`	string	Organization that signed the requested hash.
`Packer`	string	Packer name (if available).
`Size`	integer	Size of the object being investigated by the hash (in bytes).
`Type`	string	Type of the object being investigated by the hash.
`HitsCount`	integer	Number of hits (popularity) of the requested hash detected by Kaspersky expert systems. Number of hits is rounded to the nearest power of 10.
`DetectionsInfo`	Array of objects	Information about detected objects.
`LastDetectDate`	string <date-time>	Date and time when the object was last detected by Kaspersky expert systems.
`DescriptionUrl`	string	Link to the detected object's description in the Kaspersky threats website (if available).
`Zone`	string	Color of the zone that the detected object belongs to.
`DetectionName`	string	Name of the detected object.
`DetectionMethod`	string	Method used to detect the object.
`DynamicAnalisysResults`	object	Information about dynamic analysis results.
`Detections`	Array of objects	The number of detected objects with Malware (red) or Adware and other (yellow) statuses. `Zone`—Color of the zone of the detected object (Red or Yellow). `Count`—Number of objects that belong to the zone.
`SuspiciousActivities`	Array of objects	The number of suspicious activities with High (red), Medium (yellow), or Low (grey) levels. `Zone`—Color of the zone of the activity (Red, Yellow, or Grey). `Count`—Number of activities that belong to the zone.
`ExtractedFiles`	Array of objects	The number of files that were downloaded or dropped by the file during the execution process, and the proportion of files with the status of Malicious (extracted files that can be classified as malicious, in red), Adware and other (extracted files that can be classified as Not-a-virus, in yellow), Clean (extracted files that can be classified as not malicious, in green), or Not categorized (no information about the extracted files is available, in grey). `Zone`—Color of the zone of the file (Red, Yellow, Green, or Grey). `Count`—Number of files that belong to the zone.
`NetworkActivities`	Array of objects	The number of registered network interactions that the file performed during the execution process and the proportion of network interactions with the status of Dangerous (requests to resources with the Dangerous status, in red), Adware and other (requests to resources with the Adware and other status, in yellow), Good (requests to resources with the Good status, in green), or Not categorized (requests to resources with the Not categorized status, in grey). `Zone`—Color of the zone of the network activity (Red, Yellow, Green, or Grey). `Count`—Number of network activities that belong to the zone.
`DynamicDetections`	Array of objects	Detects related to the analyzed file. `Zone`—Color of the zone of the detected object (Red or Yellow). `Threat`—Number of detected objects that belong to the zone.
`TriggeredNetworkRules`	Array of objects	SNORT and Suricata rules triggered during analysis of traffic from the file. `Zone`—Color of the zone of the triggered rule (Red or Yellow). `RuleName`—Name of the triggered rule.

400 Bad Request

401 Unauthorized

403 Forbidden

Page top