VT Hash Intel — VirusTotal Threat Intelligence

Instructions

Step 1: Identify IOCs from user input

The script auto-detects IOC type:

• Hash: 32 hex chars (MD5), 40 hex chars (SHA1), 64 hex chars (SHA256)
• URL: starts with http:// or https://
• IP: IPv4 format like 1.2.3.4
• Domain: everything else with dots and valid TLD (e.g. evil.com)

The script also handles defanged IOCs automatically:

• hxxp:// → http://
• hXXp:// → http://
• evil[.]com → evil.com
• 1[.]2[.]3[.]4 → 1.2.3.4

Step 2: Run the lookup

SKILL_DIR="$(dirname "$(find /root/.openclaw -name 'SKILL.md' -path '*/vt-hash-intel/*' 2>/dev/null | head -1)")"

# Single IOC (auto-detect type)
python3 "$SKILL_DIR/scripts/vt_lookup.py" <ioc>

# Mixed batch (hashes + URLs + domains + IPs together)
python3 "$SKILL_DIR/scripts/vt_lookup.py" <hash> <url> <domain> <ip>

# Force type if auto-detection is wrong
python3 "$SKILL_DIR/scripts/vt_lookup.py" --type domain example.com

Step 3: Parse and present results

The JSON output always contains these common fields:

• ioc: the queried value
• ioc_type: "hash" | "url" | "domain" | "ip"
• detection_ratio: e.g. "45/72"
• threat_level: "clean" | "low" | "medium" | "high"
• threat_emoji: ✅ | ⚠️ | 🟠 | 🔴
• detections: array of engines that flagged it
• reputation: VT community reputation score
• vt_link: direct link to the VT report
• error: non-null if something went wrong

Hash-specific fields: sha256, md5, sha1, file_name, file_type, file_size_human, threat_label, popular_threat_name, crowdsourced_yara, sandbox_verdicts, sigma_rules

URL-specific fields: url, final_url, title, categories

Domain-specific fields: registrar, creation_date, dns_records, categories, popularity_ranks

IP-specific fields: asn, as_owner, country, network

Step 4: Format the response

IMPORTANT: Always present full contextual analysis regardless of threat level. Even when an IOC is "clean" (0 detections), the contextual information is extremely valuable for security analysis. A clean VT result does NOT mean an IOC is safe — it may be too new, targeted, or simply not yet submitted.

For hashes — present:

• Verdict line (emoji + level + detection ratio)
• File info: name, type, size, first seen date
• Threat classification (if malicious): family name, threat label
• Top engine detections (if any)
• YARA rules, sandbox verdicts, Sigma rules (if any)
• VT link
• Contextual analysis + recommendations

For URLs — present:

• Verdict line
• URL + final redirected URL (flag if different — could indicate redirect chain)
• Page title
• Categories assigned by security vendors
• Top detections (if any)
• VT link
• Contextual analysis: analyze whether the URL pattern looks suspicious (random strings, suspicious TLD, known bad path patterns like /wp-content/uploads/*.exe)
• Recommendations

For domains — always present these even if clean:

• Verdict line
• Registrar + creation date (flag if newly registered within last 30 days — common for phishing/malware)
• DNS records (A, AAAA, MX, NS, TXT records — helps identify hosting and infrastructure)
• Categories from security vendors
• Popularity ranking (low/no ranking on a queried domain can be suspicious)
• Reputation score
• VT link
• Contextual analysis: note if domain is very new, uses suspicious TLD, has low popularity, or uses known bulletproof hosting
• Recommendations

For IPs — always present these even if clean:

• Verdict line
• ASN number + AS owner (helps identify hosting provider — flag known bulletproof hosters)
• Country (geographic context)
• Network CIDR range
• Reputation score
• VT link
• Contextual analysis: note if IP belongs to a cloud provider, VPS, residential proxy, or known hosting provider. Flag countries commonly associated with malicious infrastructure if relevant.
• Recommendations

Threat level classification (same for all types):

Step 5: Recommendations

Always provide actionable recommendations based on threat level AND context:

• 🔴 high: Block immediately in firewall/EDR/proxy, sweep environment for related IOCs, investigate affected hosts, collect lateral IOCs (related hashes/domains/IPs from VT)
• 🟠 medium: Likely malicious — isolate and investigate, submit to sandbox, check network IOCs
• ⚠️ low: Possible false positive — verify with sandbox, check file/URL context and origin, monitor
• ✅ clean: Present all available context (ASN, country, registrar, DNS, categories, reputation). Remind user: "Clean on VT does not guarantee safety — the IOC may be too new, too targeted, or not yet submitted. Consider checking other threat intel sources (AbuseIPDB, Shodan, URLhaus, etc.)."
• ❓ not found: Never submitted to VT — does NOT mean safe. Suggest uploading file to VT, or checking AlienVault OTX, AbuseIPDB, URLhaus for additional coverage.

For batch results with mixed types, present a summary table first (IOC | type | verdict | detection ratio | key finding), then detailed reports for each item.

Error Handling

Examples

User: 帮我查一下这个hash 44d88612fea8a8f36de82e1278abb02f Agent: Detects MD5 hash → runs lookup → presents file threat report.

User: Check this URL: https://suspicious-site.com/download.exe Agent: Detects URL → runs lookup → presents URL analysis with categories and detections.

User: 这个域名安全吗？evil-domain.com Agent: Detects domain → runs lookup → presents domain report with DNS, WHOIS, and detections.

User: 查一下这些IOC: 44d88612fea8a8f36de82e1278abb02f