Skip to main content
Version: Spectra Analyze 9.1.1

Static Analysis Report API

Retrieve Spectra Core analysis results for a local sample

GET /api/v2/samples/{hash_value}/ticore/

Get the full Spectra Core static analysis report for the requested sample. The requested sample must be present on the appliance.

If the optional fields parameter is not provided in the request, all available parts of the static analysis report are returned in the response. With this parameter, users can select which parts of the report they want to receive in the response.

Request Format

Request Parameters

NAMEREQUIREDDESCRIPTIONTYPE
hash_valueRequiredHash of the sample for which the analysis report should be returned. The sample must be present on the appliance. Supported hash types are SHA1, SHA256, SHA512, MD5.path, string
fieldsOptionalComma-separated list of report fields to include in the response. Supported values: sha1, sha256, sha512, md5, imphash, info, application, protection, security, behaviour, certificate, document, mobile, media, web, email, strings, interesting_strings, classification, indicators, tags, attack, story, signatures, browser, software_package, malwarequery, string

Request Examples

cURL

# Add --insecure before the URL if you are using a self-signed SSL certificate
curl -X GET 'https://appliance.example.com/api/v2/samples/988881adc9fc3655077dc2d4d757d480b5ea0e11/ticore/?fields=sha256,story,interesting_strings' \
--header 'Authorization: Token exampletoken'

Python

import requests

# Change the values of token and hash_value
token = "exampletoken"
hash_value = "examplehash"
# Change the host name in the URL and the fields to be included in the response
url = f"https://appliance.example.com/api/v2/samples/{hash_value}/ticore/?fields=sha256,story,interesting_strings"

headers = {
"Authorization": f"Token {token}"
}

# Add verify=False in the request if you are using a self-signed SSL certificate
response = requests.get(url, headers=headers)
print(response.text)

Response Format

Response Examples

{
"sha1": "988881adc9fc3655077dc2d4d757d480b5ea0e11",
"sha256": "aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f",
"sha512": "e79b8ad22b34a54be999f4eadde2ee895c208d4b3d83f1954b61...", # shortened for clarity
"md5": "14758f1afd44c09b7992073ccf00b43d",
"imphash": # for PE files only
"info": {...},
"application": {...},
"protection": {...},
"security": {...},
"behaviour": {...},
"certificate": {...},
"signatures": {...},
"document": {...},
"mobile": {...},
"media": {...},
"web": {...},
"email": {...},
"strings": [...],
"interesting_strings": [...],
"classification": {...},
"indicators": [...],
"attack": [...],
"tags": [...],
"story": {...},
}

Response Fields

FIELD NAMETYPEDESCRIPTION
sha1stringSHA1 hash of the sample
sha256stringSHA256 hash of the sample
sha512stringSHA512 hash of the sample
md5stringMD5 hash of the sample
imphashstringImport hash of the sample. Retrieved only for PE files
infoobjectInformation about file type, size, embedded files, and hashes computed for the sample
applicationobjectIf the sample is an application, contains information about its structure and capabilities
protectionobjectDetected protection features and mechanisms such as cryptographic or compression algorithms
securityobjectDetected security-related features, such as exploits
behaviourobjectDetected behavior properties of the sample
certificateobjectCertificate-related information extracted from the sample, such as issuer, thumbprint, signature
signaturesobjectSignature-related information extracted from the sample, such as issuer, thumbprint, signature
documentobjectIf the sample is a document, contains information about its structure and capabilities
mobileobjectIf the sample is a mobile application, contains information about its structure and capabilities
mediaobjectIf the sample is a multimedia file, such as an image, contains information about its properties
webobjectIf the sample is a web application or browser addon, contains information about its structure and capabilities
emailobjectIf the sample is an email message, contains information about its metadata
stringsarrayStrings extracted from the sample
interesting_stringsarrayURI strings extracted from the sample
classificationobjectSample status and source of classification
indicatorsarrayDetected actions that the sample is capable of performing, and their descriptions
attackarraySpectra Core indicators mapped to MITRE threat IDs and techniques
tagsarrayLabels automatically generated by Spectra Core during analysis based on the sample’s metadata properties (“ticore”) or added by the users on the appliance (“user”)
storystringNatural language file behavior description
browserobjectBrowser-related data
software_packageobjectSoftware package data
malwareobjectMalware-related data

Response Status Codes

CODEDESCRIPTION
200OK
403Forbidden
404Not found