Extracted Files API
List files extracted from a local sample
GET /api/samples/v2/{hash_value}/extracted-files/
Get a list of all files the Spectra Core engine extracted from the requested sample during static analysis. The requested sample must be present on the appliance prior to sending a request to this endpoint.
If the requested sample doesn’t have any extracted files, an empty response body is returned with the status code 200.
Request Format
Request Parameters
| NAME | REQUIRED | DESCRIPTION | TYPE |
|---|---|---|---|
| hash_value | Required | Hash of the sample for which the extracted files should be listed. Only one hash can be submitted in one request. Supported hash types: SHA1, SHA256, SHA512, MD5 | path, string |
| page | Optional | Optional parameter used for pagination. When this parameter is omitted from the request, all available samples are returned at once. This parameter cannot be used without page_size. Use page_size to set how many samples should be on each page, and then specify which page to return with page in the same request. The count value in the response indicates the total number of samples. Use this number as guidance for pagination. The values of page size and page multiplied must not exceed the count value. For example, if count is 80 and page_size is set to 10, it is not possible to request page=9. | query, string |
| page_size | Optional | Optional parameter that controls how many samples to return in the response. It can be used with or without the page parameter. When this parameter is included in the request, the response contains the next field with the link to the next page of results. When this parameter is omitted from the request, all available samples are returned at once. | query, string |
Request Examples
cURL
# Add --insecure before the URL if you are using a self-signed SSL certificate
curl -X GET 'https://appliance.example.com/api/samples/v2/cf8e42c4a0862c807f0de3c656d2cd1c99cc5a27/extracted-files/' \
--header 'Authorization: Token exampletoken'
cURL with pagination
# Add --insecure before the URL if you are using a self-signed SSL certificate
curl -X GET 'https://a1000.example.com/api/samples/v2/cf8e42c4a0862c807f0de3c656d2cd1c99cc5a27/extracted-files/?page_size=10&page=2' \
--header 'Authorization: Token exampletoken'
Python
import requests
# Change the values of token and hash_value
token = "exampletoken"
hash_value = "examplehash"
# Change the host name in the URL
url = f"https://appliance.example.com/api/samples/v2/{hash_value}/extracted-files/"
headers = {
"Authorization": f"Token {token}"
}
# Add verify=False in the request if you are using a self-signed SSL certificate
response = requests.get(url, headers=headers)
print(response.text)
Response Format
Response Examples
{
"count": 5,
"next": null,
"previous": null,
"results": [
{
"id": 197,
"parent_relationship": null,
"sample": {
"id": 192,
"sha1": "9ef1d22739a73f659f6b6491690902a33bdfea5d",
"sha256": "21b4f2da06f71e05f8c1c01093aae34231890e05ce366c98e3f09b6a7cdfc703",
"md5": "63f6eb996dcc1d09eb7a73cde1f55179",
"type_display": "PE/Exe",
"category": "application",
"file_type": "PE",
"file_subtype": "Exe",
"identification_name": "",
"identification_version": "",
"file_size": 267278,
"extracted_file_count": 2,
"local_first_seen": "2016-05-05T09:57:50.910412Z",
"local_last_seen": "2016-05-05T13:43:21.282072Z",
"classification": "malicious",
"riskscore": 10,
"classification_result": "Win32.Trojan.Bitman"
},
"filename": "DeVuongHoi.exe",
"path": "DeVuongHoi.exe"
},
{
"id": 198,
"parent_relationship": null,
"sample": {
"id": 198,
"sha1": "9ef1d22739a73f659f6b6491690902a33bdfea5d",
"sha256": "21b4f2da06f71e05f8c1c01093aae34231890e05ce366c98e3f09b6a7cdfc703",
"md5": "63f6eb996dcc1d09eb7a73cde1f55179",
"type_display": "PE/Exe",
"category": "application",
"file_type": "PE",
"file_subtype": "Exe",
"identification_name": "",
"identification_version": "",
"file_size": 290816,
"extracted_file_count": 1,
"local_first_seen": "2016-05-05T09:58:27.096525Z",
"local_last_seen": "2016-05-05T09:58:27.096525Z",
"classification": "malicious",
"riskscore":7,
"classification_result": "Win32.Malware.YARA"
},
"filename": "DieGroupv8.exe",
"path": "DieGroupv8.exe"
},
...
Response Fields
| FIELD NAME | TYPE |
|---|---|
| id | integer |
| parent_relationship | string |
| sample | object |
| filename | string |
| path | string |
| FIELD NAME | DATA TYPE |
|---|---|
| id | integer |
| sha1 | string |
| sha256 | string |
| md5 | string |
| type_display | string |
| category | string |
| file_type | string |
| file_subtype | string |
| identification_name | string |
| identification_version | string |
| file_size | integer |
| extracted_file_count | integer |
| local_first_seen | string |
| local_last_seen | string |
| classification | string |
| riskscore | integer |
| classification_result | string |
Response Status Codes
| CODE | DESCRIPTION |
|---|---|
| 200 | OK |
| 400 | Bad Request |
| 403 | Forbidden |
| 404 | Not Found |
Download files extracted from a local sample
GET /api/samples/{hash_value}/unpacked/
Download files extracted from the requested sample to the local storage. The files are obtained through the unpacking process during sample analysis with the Spectra Core static analysis engine. The requested sample must be present on the appliance prior to sending a request to this endpoint.
Extracted files are downloaded in a single compressed archive file.
If the requested sample doesn’t have any extracted files, the 404 Not Found response is returned.
Request Format
Request Parameters
| NAME | REQUIRED | DESCRIPTION | TYPE |
|---|---|---|---|
| hash_value | Required | Hash of the sample for which the extracted files should be downloaded. Only one hash can be submitted in one request. Supported hash types: SHA1, SHA256, SHA512, MD5 | path, string |
Request Examples
cURL
# Add --insecure before the URL if you are using a self-signed SSL certificate
curl -X GET 'https://appliance.example.com/api/samples/98a353d6d06cbdfd1146b3c917da9efacd90349c/unpacked/' \
--header 'Authorization: Token exampletoken' \
--output <FILENAME>
Python
import requests
# Change the values of hash_value and token
hash_value = "examplehash"
token = "exampletoken"
# Change the hostname to the one you use
url = f"https://appliance.example.com/api/samples/{hash_value}/unpacked/"
headers = {
"Authorization": f"Token {token}"
}
# Add verify=False in the request if you are using a self-signed SSL certificate
response = requests.get(url, headers=headers)
with open("filename", "wb") as f:
f.write(response.content)
Response Format
Response Status Codes
| CODE | DESCRIPTION |
|---|---|
| 200 | OK |
| 403 | Forbidden |
| 404 | Sample not found |
| 410 | Unable to retrieve extracted file content |