Extracted Files API

List files extracted from a local sample

GET /api/samples/v2/{hash_value}/extracted-files/

Get a list of all files the Spectra Core engine extracted from the requested sample during static analysis. The requested sample must be present on the appliance prior to sending a request to this endpoint.

If the requested sample doesn’t have any extracted files, an empty response body is returned with the status code 200.

Request Format

Request Parameters

NAME	REQUIRED	DESCRIPTION	TYPE
hash_value	Required	Hash of the sample for which the extracted files should be listed. Only one hash can be submitted in one request. Supported hash types: SHA1, SHA256, SHA512, MD5	path, string
page	Optional	Optional parameter used for pagination. When this parameter is omitted from the request, all available samples are returned at once. This parameter cannot be used without page_size. Use page_size to set how many samples should be on each page, and then specify which page to return with page in the same request. The count value in the response indicates the total number of samples. Use this number as guidance for pagination. The values of page size and page multiplied must not exceed the count value. For example, if count is 80 and page_size is set to 10, it is not possible to request page=9.	query, string
page_size	Optional	Optional parameter that controls how many samples to return in the response. It can be used with or without the page parameter. When this parameter is included in the request, the response contains the next field with the link to the next page of results. When this parameter is omitted from the request, all available samples are returned at once.	query, string

Request Examples

cURL

# Add --insecure before the URL if you are using a self-signed SSL certificate
curl -X GET 'https://appliance.example.com/api/samples/v2/cf8e42c4a0862c807f0de3c656d2cd1c99cc5a27/extracted-files/' \
  --header 'Authorization: Token exampletoken'

cURL with pagination

# Add --insecure before the URL if you are using a self-signed SSL certificate
curl -X GET 'https://a1000.example.com/api/samples/v2/cf8e42c4a0862c807f0de3c656d2cd1c99cc5a27/extracted-files/?page_size=10&page=2' \
  --header 'Authorization: Token exampletoken'

Python

import requests

# Change the values of token and hash_value
token = "exampletoken"
hash_value = "examplehash"
# Change the host name in the URL
url = f"https://appliance.example.com/api/samples/v2/{hash_value}/extracted-files/"

headers = {
    "Authorization": f"Token {token}"
}

# Add verify=False in the request if you are using a self-signed SSL certificate
response = requests.get(url, headers=headers)
print(response.text)

Response Format

Response Examples

{
"count": 5,
"next": null,
"previous": null,
"results": [
    {
      "id": 197,
      "parent_relationship": null,
      "sample": {
        "id": 192,
        "sha1": "9ef1d22739a73f659f6b6491690902a33bdfea5d",
        "sha256": "21b4f2da06f71e05f8c1c01093aae34231890e05ce366c98e3f09b6a7cdfc703",
        "md5": "63f6eb996dcc1d09eb7a73cde1f55179",
        "type_display": "PE/Exe",
        "category": "application",
        "file_type": "PE",
        "file_subtype": "Exe",
        "identification_name": "",
        "identification_version": "",
        "file_size": 267278,
        "extracted_file_count": 2,
        "local_first_seen": "2016-05-05T09:57:50.910412Z",
        "local_last_seen": "2016-05-05T13:43:21.282072Z",
        "classification": "malicious",
        "riskscore": 10,
        "classification_result": "Win32.Trojan.Bitman"
      },
      "filename": "DeVuongHoi.exe",
      "path": "DeVuongHoi.exe"
    },
    {
    "id": 198,
    "parent_relationship": null,
    "sample": {
      "id": 198,
      "sha1": "9ef1d22739a73f659f6b6491690902a33bdfea5d",
      "sha256": "21b4f2da06f71e05f8c1c01093aae34231890e05ce366c98e3f09b6a7cdfc703",
      "md5": "63f6eb996dcc1d09eb7a73cde1f55179",
      "type_display": "PE/Exe",
      "category": "application",
      "file_type": "PE",
      "file_subtype": "Exe",
      "identification_name": "",
      "identification_version": "",
      "file_size": 290816,
      "extracted_file_count": 1,
      "local_first_seen": "2016-05-05T09:58:27.096525Z",
      "local_last_seen": "2016-05-05T09:58:27.096525Z",
      "classification": "malicious",
      "riskscore":7,
      "classification_result": "Win32.Malware.YARA"
      },
      "filename": "DieGroupv8.exe",
      "path": "DieGroupv8.exe"
    },
...

Response Fields

FIELD NAME	TYPE
id	integer
parent_relationship	string
sample	object
filename	string
path	string

FIELD NAME	DATA TYPE
id	integer
sha1	string
sha256	string
md5	string
type_display	string
category	string
file_type	string
file_subtype	string
identification_name	string
identification_version	string
file_size	integer
extracted_file_count	integer
local_first_seen	string
local_last_seen	string
classification	string
riskscore	integer
classification_result	string

Response Status Codes

CODE	DESCRIPTION
200	OK
400	Bad Request
403	Forbidden
404	Not Found

Download files extracted from a local sample

GET /api/samples/{hash_value}/unpacked/

Download files extracted from the requested sample to the local storage. The files are obtained through the unpacking process during sample analysis with the Spectra Core static analysis engine. The requested sample must be present on the appliance prior to sending a request to this endpoint.

Extracted files are downloaded in a single compressed archive file.

If the requested sample doesn’t have any extracted files, the 404 Not Found response is returned.

Request Format

Request Parameters

NAME	REQUIRED	DESCRIPTION	TYPE
hash_value	Required	Hash of the sample for which the extracted files should be downloaded. Only one hash can be submitted in one request. Supported hash types: SHA1, SHA256, SHA512, MD5	path, string

Request Examples

cURL

# Add --insecure before the URL if you are using a self-signed SSL certificate
curl -X GET 'https://appliance.example.com/api/samples/98a353d6d06cbdfd1146b3c917da9efacd90349c/unpacked/' \
  --header 'Authorization: Token exampletoken' \
  --output <FILENAME>

Python

import requests

# Change the values of hash_value and token
hash_value = "examplehash"
token = "exampletoken"

# Change the hostname to the one you use
url = f"https://appliance.example.com/api/samples/{hash_value}/unpacked/"

headers = {
    "Authorization": f"Token {token}"
}

# Add verify=False in the request if you are using a self-signed SSL certificate
response = requests.get(url, headers=headers)

with open("filename", "wb") as f:
   f.write(response.content)

Response Format

Response Status Codes

CODE	DESCRIPTION
200	OK
403	Forbidden
404	Sample not found
410	Unable to retrieve extracted file content