Graph API Version

/malware_analyses

This API call enables searching for malware stored in ThreatExchange. With this call you can search for malware by free text (including file hashes) or all malware uploaded in a specific time window. Combinations of these query types are also allowed.

Parameters

The following query parameters are available (bold params are required):

  • access_token - The key for authenticating to the API, in the format <your-app-id>|<your-app-secret>. For example, if our app ID was 555 and our app secret aSdF123GhK, our access_token would be "555|aSdF123GhK".
  • limit - Defines the maximum size of a page of results. The maximum is 1,000.
  • sample_type - Defines the type of malware, one of MalwareAnalysisType
  • share_level - A given value of ShareLevelType
  • text - Freeform text field with a value to search for. This can be a file hash or a string found in other fields of the objects.
  • sort_order - A given SortOrderType
  • sort_by - Sort results by RELEVANCE or by CREATE_TIME. When sorting by RELEVANCE, your query will return results sorted by similarity against your text query.
  • status - A given StatusType
  • strict_text - When set to 'true', the API will not do approximate matching on the value in text
  • since - Returns malware collected after a timestamp
  • until - Returns malware collected before a timestamp
  • fields - A list of fields to return in the response

Example query for all malware in a 12 hour window:

https://graph.facebook.com/v2.8/malware_analyses?access_token=555|aSdF123GhK&since=1391813489&until=1391856689

Data returned:

{
  "data": [
    {
      "added_on": "2014-02-08T10:45:08+0000",
      "md5": "f5c3281ed489772c840a137011c76b58",
      "sha1": "2517620f427f0019e2eee3b36e206567b6e7a74a",
      "sha256": "cb57e263ab51f8e9b40d6f292bb17512cec0aa701bde14df33dfc06c815be54c",
      "status": "UNKNOWN",
      "victim_count": 0,
      "id": "760220740669930"
    },
    ...
  ],
  "paging": {
    "cursors": {
      "before": "MAZDZD",
      "after": "MjQZD"
    },
    "next": "https://graph.facebook.com/v2.8/malware_analyses?access_token=5555|1234&pretty=0&since=1391813489&until=1391856689&limit=25&after=MjQZD"
  },
}

The same query using a cURL:

curl -i -X GET \
 "https://graph.facebook.com/v2.8/malware_analyses?since=1391813489&until=1391856689&access_token=5555%7C1234"

The same query in Python:

import requests
import json
import ast
import urllib

app_id = '5555' # Replace this with your app ID
app_secret = '1234' # Replace this with your app secret
start_time = 1391813489
end_time = 1391856689

query_params = urllib.urlencode({
    'access_token' : app_id + '|' + app_secret,
    'since' : start_time,
    'until' : end_time
    })

r = requests.get('https://graph.facebook.com/v2.8/malware_analyses?' + query_params)

print json.dumps(ast.literal_eval(r.text), sort_keys=True,indent=4,separators=(',', ': '))

The same query in Java:

import java.io.InputStream;
import java.net.URL;
import java.net.URLConnection;
import java.util.Scanner;

public class MalwareAnalyses {

    public final static void main(String[] args) throws Exception {
        String url = "https://graph.facebook.com/v2.8/malware_analyses?";
        String appID = "555"; // Replace this with your app ID
        String appSecret = "1234"; // Replace this with your app secret
        String since = "1391813489";
        String until = "1391856689";

        String query = String.format("access_token=%s&since=%s&until=%s",
                appID + "|" + appSecret,
                since,
                until
                );
        URLConnection connection = new URL(url + query).openConnection();
        InputStream response = connection.getInputStream();
        System.out.print(convertStreamToString(response));
        response.close();
    }

    static String convertStreamToString(InputStream inputStream){
        Scanner scanner = new Scanner(inputStream).useDelimiter("\\A");
        return scanner.hasNext() ? scanner.next() : "";
    }

}

The same query in PHP:

<?php
  $appID = "555"; // Replace this with your AppID
  $appSecret = "1234"; // Replace this with your App Secret
  $since = '1391813489';
  $until = '1391856689';
  $access_token = $appID . "|" . $appSecret;

  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL,
    "https://graph.facebook.com/v2.8/malware_analyses?" .
    "access_token=" . $access_token .
    "&since=" . $since .
    "&until=" . $until);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  $response = curl_exec($ch);
  $json = json_encode(json_decode($response), JSON_PRETTY_PRINT);
  print($json . PHP_EOL);
  curl_close($ch);
?>