Hybrid Analysis

Use the Hybrid Analysis integration to submit and analyze files.

Supported File Types

The maximum file upload size is 100 MB.

  • PE (.exe, .scr, .pif, .dll, .com, .cpl, and so on)
  • Microsoft Word (.doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub)
  • PDF
  • APK
  • JAR executables
  • Windows Script Component (.sct)
  • Windows Shortcut (.lnk)
  • Windows Help (.chm)
  • HTML Application (.hta)
  • Windows Script File (*.wsf)
  • Javascript (.js)
  • Visual Basic (*.vbs, *.vbe)
  • Shockwave Flash (.swf)
  • Perl (.pl)
  • PowerShell (.ps1, .psd1, .psm1)
  • Scalable Vector Graphics (.svg)
  • Python scripts (.py)
  • Perl scripts (.pl)
  • Linux ELF executables
  • MIME RFC 822 (*.eml)
  • Outlook (*.msg files)

Configure the Hybrid Analysis Integration on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Hybrid Analysis.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URI : for example, https://216.128.82
    • API Key : Demisto creates an API key, do not populate this field.
    • Secret Key (applicable for v1)
    • Do not validate server certificate (insecure)
    • Use system proxy settings
  4. Click Test to validate the URLs and token.

Use Cases

  • Submit sample files for analysis.
  • Get result data of sample files.
  • Search the Hybrid Analysis database.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Scan a file hash: hybrid-analysis-scan
  2. Submit a sample file: hybrid-analysis-submit-sample
  3. Search Hybrid Analysis: hybrid-analysis-search
  4. Detonate a file: hybrid-analysis-detonate-file
  5. Get the status of a file submission: hybrid-analysis-get-report-status
  6. Submit a website or file URL for quick analysis: hybrid-analysis-quick-scan-url
  7. Submit a website or file URL for analysis: hybrid-analysis-submit-url
  8. Get a list of scanners: hybrid-analysis-list-scanners
  9. Get scan results: hybrid-analysis-quick-scan-url-results

1. Scan a file hash


Returns summary information for a given MD5, SHA1 or SHA256 hash, and all reports generated for any environment ID.

Base Command

hybrid-analysis-scan

Input
Argument Name Description Required
file The MD5, SHA1, or SHA256 hash of the file. Required
malicious_threat_levels Threat level values, which will determine if the file is malicious. Optional

Context Output
Path Type Description
File.SHA256 string SHA256 hash of the file.
File.SHA1 string SHA1 hash of the file.
File.MD5 string MD5 hash of the file.
File.environmentId string The environment ID of the file.
File.analysis_start_time string The start time of the file analysis.
File.submitname string The submission name of the file.
File.classification_tags string A list of classification tags of the file.
File.vxfamily string The family classification of the file.
File.total_network_connections string The total number of network connections of the file.
File.total_processes string The total processes count of the file.
File.total_signatures string The total signatures count of the file.
File.hosts string A list of hosts of the file.
File.isinteresting string Whether the server found the file interesting.
File.domains string A list of domains related to the file.
File.isurlanalysis string Whether the file was analyzed by a URL.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the reason that the vendor made the decision.
DBotScore.Indicator string The indicator.
DBotScore.Type string The indicator type.
DBotScore.Vendor string The DBot score vendor.
DBotScore.Score number The DBot score.

Command Example
 !hybrid-analysis-scan file=bb3bed4a07c472ad7a51c19634e33ad2c9769a27fa750f096d9cca5b5b9e4616
Human Readable Output

2. Submit a file sample


Submits a file from the investigation to the analysis server. The minimum required authorization is "default".

Base Command

hybrid-analysis-submit-sample

Input
Argument Name Description Required
entryId The War Room entry ID of the sample file. Required
environmentID The environment ID to which to submit the file. Run the vx-get-environments command to get all environment IDs. Required

Context Output
Path Type Description
HybridAnalysis.Submit.JobID string JobID of the submission.
HybridAnalysis.Submit.SHA256 string The SHA256 hash of the submission.
HybridAnalysis.Submit.EnvironmentID string The environment ID of the submission.

Command Example
 !hybrid-analysis-submit-sample entryId=413@13 environmentID=100
Human Readable Output

3. Search Hybrid Analysis


Performs a search on the database using the Hybrid Analysis search syntax.

Base Command

hybrid-analysis-search

Input
Argument Name Description Required
query The query to run, in the Hybrid Analysis query syntax. For more information, see `/faq#advanced-search-options`. For example: url:google, host:95.181.53.78. Optional
filename The full file name, including the file extension. Optional
filetype Filetype e.g. docx Optional
filetype_desc A description of the file type, for example, PE32 executable. Optional
env_id The environment ID. Optional
country The ISO code of the country by which to filter results, for example: swe. Optional
verdict The verdict by which to filter results. Can be "1- whitelisted", "2- no verdict", "3- "no specific threat", "4- suspicious", or "5- malicious". Optional
av_detect The AV multi-scan range (0-100) by which to filter results, for example: "50-70". Optional
vx_family The AV family substring by which to filter results, for example: "nemucod". Optional
tag The hashtag by which to filter results, for example: "ransomware". Optional
port The port by which to filter results. Optional
host The host (IP address) by which to filter results. Optional
domain The domain by which to filter results. Optional
url The HTTP request substring by which to filter results. Optional
similar_to Similar samples, for example: . Optional
context Sample context, for example: . Optional
imp_hash The import hash. Optional
ssdeep The ssdeep hash. Optional
authentihash The authentication hash. Optional
min_malicious_scanners The number of scanners that report the file as malicious to determine whether the file is malicious. Default is "2". Optional

Context Output
Path Type Description
HybridAnalysis.Search.SHA256 string The SHA256 hash of the search result.
HybridAnalysis.Search.SHA1 string The SHA1 hash of the search result.
HybridAnalysis.Search.MD5 string The MD5 hash of the search result.
HybridAnalysis.Search.environmentId string The environment ID of the search result.
HybridAnalysis.Search.start_time date The start time of the search result.
HybridAnalysis.Search.threatscore string The threat score of the search result, by server.
HybridAnalysis.Search.verdict string The verdict of the search result.
HybridAnalysis.Search.environmentDescription string The environment description of search result.
HybridAnalysis.Search.submitname string The submission name of the search result.
HybridAnalysis.Search.vxfamily string The family of search result.
HybridAnalysis.Search.threatscore string The threat score of the search result.
HybridAnalysis.Search.type_short string The type of search result, for example: "url" or "host".
HybridAnalysis.Search.size number The size of the search result.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the reason that the vendor made the decision.
DBotScore.Indicator unknown The indicator.
DBotScore.Type unknown The indicator type.
DBotScore.Vendor unknown The DBotScore vendor.
DBotScore.Score unknown The DBot score.

Command Example
 !hybrid-analysis-search filename=fvp_setup_3.2.1.53fi.exe min_malicious_scanners=2
Human Readable Output

4. Detonate a file


Submits a file for detonation in Hybrid Analysis.

Base Command

hybrid-analysis-detonate-file

Input
Argument Name Description Required
entryId The War Room entry ID of the sample file you want to detonate. Required
environmentID The environment ID to which to submit the file for detonation. Run the vx-get-environments command to get all environment IDs. Default is 100, or other WINDOWS ID. Optional
delay The amount of time (in seconds) to wait between calls. Default is "3". Optional
timeout The total wait time (in seconds) before timeout. Default is "60". Optional
malicious_threat_levels A comma separated list of threat level values. Files that have a threat level
specified in the list will be considered malicious.
Optional

Context Output
Path Type Description
File.SHA256 string The SHA256 hash of the file.
File.SHA1 string The SHA1 hash of the file.
File.MD5 string The MD5 of the file.
File.environmentalId string The environmental ID of the file.
File.analysis_start_time string The start time of the file.
File.submitname string The submission name of the file.
File.classification_tags string A list of classification tags of the file.
File.vxfamily string The family classification of the file.
File.total_network_connections string The total number of network connections of the file.
File.total_processes string The total processes count of the file.
File.total_signatures string The total signatures count of the file.
File.hosts string A list of hosts of the file.
File.isinteresting string Whether the server found the file interesting.
File.domains string A list of domains related to the file.
File.isurlanalysis string Whether the file was analyzed by a URL.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the reason that the vendor made the decision.
DBotScore.Indicator string The indicator.
DBotScore.Type string The indicator type.
DBotScore.Vendor string The DBot score vendor.
DBotScore.Score number The DBot score.

5. Get the status of a file submission


Returns the state of the file submission.

Base Command

hybrid-analysis-get-report-status

Input
Argument Name Description Required
jobID The job ID of the submission. Optional
sha256 The submission SHA256. Optional
environmentID The environment ID of the submission. Optional
Context Output
Path Type Description
HybridAnalysis.Submit.State string The state of the process.
HybridAnalysis.Submit.SHA256 string The SHA256 hash of the submission.
HybridAnalysis.Submit.JobID string The job ID of the submission.
HybridAnalysis.Submit.EnvironmentID string The environment ID of the submission.

6. Submit a website or file URL for quick analysis


Submits the URL of a website, or the URL that contains the file, for analysis.

Base Command

hybrid-analysis-quick-scan-url

Input
Argument Name Description Required
scan_type The type of scan. Run the hybrid-analysis-list-scanners command to view available scanners. Optional
url The website URL, or the URL that contains the file to submit. Required

Context Output
Path Type Description
HybridAnalysis.URL.Data string The URL.
HybridAnalysis.URL.ScanID string The scan ID.
HybridAnalysis.URL.SHA256 string The SHA256 hash of the URL.
HybridAnalysis.URL.Finished boolean Whether the scan completed.
File.Name string The URL.
File.SHA256 string The SHA256 hash of the file.
HybridAnalysis.URL.SubmissionType string The type of the submission. Can be "file" or "url".

Command Example
 !hybrid-analysis-quick-scan-url url=www.google.com
Human Readable Output

7. Submit a website or file URL for analysis


Submits the URL of a website or the URL that contains the file, for analysis.

Base Command

hybrid-analysis-submit-url

Input
Argument Name Description Required
url The URL of the file to submit. Required
environmentID The environment ID to which to submit the file. Run the vx-get-environments command to get all environment IDs. Required

Context Output
Path Type Description
HybridAnalysis.Submit.JobID string The job ID of the submission.
HybridAnalysis.Submit.SHA256 string The SHA256 of the submission.
HybridAnalysis.Submit.EnvironmentID number The environment ID of the submission.
HybridAnalysis.Submit.SubmissionType string The type of the submission. Can be "file" or "url".

Command Example
!hybrid-analysis-submit-url environmentID=100 url=www.google.com
Human Readable Output

8. Get a list of scanners


Returns a list of available scanners.

Base Command

hybrid-analysis-list-scanners

Input

There are no input arguments for this command.

Context Output
Path Type Description
HybridAnalysis.Scanner.Available unknown Whether the scanner is available.
HybridAnalysis.Scanner.Name unknown The scanner name.
HybridAnalysis.Scanner.Description unknown The scanner description.

Command Example
 !hybrid-analysis-list-scanners
Human Readable Output

9. Get scan results


Returns the scan results of the given URL ID.

Base Command

hybrid-analysis-quick-scan-url-results

Input
Argument Name Description Required
scanID The scan ID of the scanned URL. Required
min_malicious_scanners The number of scanners that report the file as malicious to determine whether the file is malicious. Default is "2". Optional

Context Output
Path Type Description
HybridAnalysis.URL.ScanID string The scan ID.
HybridAnalysis.URL.SHA256 string The SHA256 hash of the indicator.
HybridAnalysis.URL.Finished boolean Whether the process completed.
HybridAnalysis.URL.Scanner.Name string The scanner name.
HybridAnalysis.URL.Scanner.Positives number The number of positive results.
HybridAnalysis.URL.Scanner.Status string The status of the file.
HybridAnalysis.URL.Whitelist.ID string The type of ID.
HybridAnalysis.URL.Whitelist.Value boolean Whether the indicator is on the whitelist.
File.SHA256 string The SHA256 hash of the file.

Command Example
!hybrid-analysis-quick-scan-url-results scanID=5d6cf460028838eb26d56dc4
Human Readable Output