Appearance
Malwoverview Cheat Sheet
Overview
Malwoverview is a comprehensive threat hunting and malware analysis tool designed to provide security analysts with detailed information about suspicious files, URLs, and potential threats. Developed as a Python-based command-line utility, Malwoverview integrates with multiple threat intelligence platforms and malware analysis services to deliver comprehensive threat assessments. The tool serves as a centralized interface for querying various security services, enabling analysts to quickly gather intelligence about potential threats without manually accessing multiple platforms.
The tool's primary strength lies in its ability to aggregate threat intelligence from diverse sources including VirusTotal, Hybrid Analysis, URLVoid, Shodan, and other security services. This aggregation capability allows security professionals to obtain a holistic view of potential threats by correlating information from multiple authoritative sources. Malwoverview supports analysis of various artifact types including file hashes, URLs, IP addresses, and domains, making it versatile for different threat hunting scenarios.
Malwoverview is particularly valuable in incident response scenarios where rapid threat assessment is critical. The tool's automated querying capabilities can significantly reduce the time required to gather threat intelligence, allowing analysts to focus on analysis and decision-making rather than manual data collection. The tool also provides structured output formats that can be easily integrated into security orchestration platforms and incident response workflows.
The framework supports both interactive and batch processing modes, enabling analysts to perform single-artifact analysis or process large datasets efficiently. Its modular architecture allows for easy extension and customization, making it adaptable to specific organizational requirements and threat intelligence workflows. The tool's logging and reporting capabilities provide audit trails and facilitate knowledge sharing among security teams.
Installation
Prerequisites
bash
# Install Python and pip
sudo apt update
sudo apt install python3 python3-pip git
# Install required Python packages
pip3 install requests colorama configparser pefile python-magic
# Install additional dependencies
sudo apt install libmagic1 libmagic-dev
# For CentOS/RHEL
sudo yum install python3 python3-pip git file-devel
pip3 install requests colorama configparser pefile python-magic
# For macOS
brew install python3 git libmagic
pip3 install requests colorama configparser pefile python-magicStandard Installation
bash
# Clone Malwoverview repository
git clone https://github.com/alexandreborges/malwoverview.git
cd malwoverview
# Install Python dependencies
pip3 install -r requirements.txt
# Make executable
chmod +x malwoverview.py
# Test installation
python3 malwoverview.py --help
# Create symbolic link for system-wide access
sudo ln -s $(pwd)/malwoverview.py /usr/local/bin/malwoverviewVirtual Environment Installation
bash
# Create virtual environment
python3 -m venv malwoverview-env
source malwoverview-env/bin/activate
# Clone and install
git clone https://github.com/alexandreborges/malwoverview.git
cd malwoverview
pip install -r requirements.txt
# Create activation script
cat << 'EOF' > activate-malwoverview.sh
#!/bin/bash
source /path/to/malwoverview-env/bin/activate
cd /path/to/malwoverview
python3 malwoverview.py "$@"
EOF
chmod +x activate-malwoverview.shDocker Installation
bash
# Create Dockerfile
cat << 'EOF' > Dockerfile
FROM python:3.9-slim
RUN apt-get update && apt-get install -y \
git \
libmagic1 \
libmagic-dev \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
RUN git clone https://github.com/alexandreborges/malwoverview.git .
RUN pip install -r requirements.txt
ENTRYPOINT ["python3", "malwoverview.py"]
EOF
# Build image
docker build -t malwoverview .
# Run container
docker run --rm -it -v $(pwd)/config:/app/config malwoverview --help
# Create alias
echo 'alias malwoverview="docker run --rm -it -v $(pwd)/config:/app/config malwoverview"' >> ~/.bashrcConfiguration Setup
bash
# Create configuration directory
mkdir -p ~/.malwoverview
# Create API configuration file
cat << 'EOF' > ~/.malwoverview/malwoverview.conf
[VIRUSTOTAL]
vtapi = your_virustotal_api_key
[HYBRIDANALYSIS]
haapi = your_hybrid_analysis_api_key
[URLVOID]
urlvoidapi = your_urlvoid_api_key
[SHODAN]
shodanapi = your_shodan_api_key
[MALSHARE]
malshareapi = your_malshare_api_key
[POLYSWARM]
polyswarmapi = your_polyswarm_api_key
[ALIENVAULT]
alienvaultapi = your_alienvault_api_key
EOF
# Set proper permissions
chmod 600 ~/.malwoverview/malwoverview.confBasic Usage
Command Line Interface
bash
# Show help
malwoverview --help
python3 malwoverview.py -h
# Show version
malwoverview --version
# Basic file analysis
malwoverview -f /path/to/suspicious_file.exe
# Hash analysis
malwoverview -H md5_hash_here
malwoverview -H sha1_hash_here
malwoverview -H sha256_hash_here
# URL analysis
malwoverview -u http://suspicious-domain.com
# IP address analysis
malwoverview -i 192.168.1.100
# Domain analysis
malwoverview -d suspicious-domain.comConfiguration Options
bash
# Use custom configuration file
malwoverview -c /path/to/custom.conf -f file.exe
# Specify output format
malwoverview -f file.exe -o json
malwoverview -f file.exe -o csv
malwoverview -f file.exe -o xml
# Enable verbose output
malwoverview -v -f file.exe
# Quiet mode
malwoverview -q -f file.exe
# Save output to file
malwoverview -f file.exe > analysis_report.txt
malwoverview -f file.exe -o json > report.jsonFile Analysis
Single File Analysis
bash
# Analyze executable file
malwoverview -f /path/to/malware.exe
# Analyze document
malwoverview -f /path/to/document.pdf
# Analyze script
malwoverview -f /path/to/script.js
# Analyze with specific engines
malwoverview -f file.exe --engines virustotal,hybridanalysis
# Force analysis even if cached
malwoverview -f file.exe --force
# Include metadata extraction
malwoverview -f file.exe --metadataBatch File Analysis
bash
# Analyze multiple files
malwoverview -f file1.exe file2.dll file3.pdf
# Analyze directory
malwoverview -d /path/to/malware_samples/
# Recursive directory analysis
malwoverview -d /path/to/samples/ --recursive
# Filter by file type
malwoverview -d /path/to/samples/ --filter "*.exe,*.dll"
# Exclude certain files
malwoverview -d /path/to/samples/ --exclude "*.txt,*.log"
# Parallel processing
malwoverview -d /path/to/samples/ --threads 5Hash-Based Analysis
bash
# MD5 hash analysis
malwoverview -H 5d41402abc4b2a76b9719d911017c592
# SHA1 hash analysis
malwoverview -H aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
# SHA256 hash analysis
malwoverview -H 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
# Multiple hashes
malwoverview -H hash1,hash2,hash3
# Hash list from file
malwoverview -H @hash_list.txt
# Specific hash type
malwoverview -H hash_value --hash-type sha256Network Analysis
URL Analysis
bash
# Single URL analysis
malwoverview -u http://suspicious-site.com
# Multiple URLs
malwoverview -u http://site1.com,http://site2.com
# URL list from file
malwoverview -u @url_list.txt
# Include screenshot
malwoverview -u http://site.com --screenshot
# Check redirects
malwoverview -u http://site.com --follow-redirects
# Custom user agent
malwoverview -u http://site.com --user-agent "Mozilla/5.0..."IP Address Analysis
bash
# Single IP analysis
malwoverview -i 192.168.1.100
# Multiple IPs
malwoverview -i 192.168.1.100,10.0.0.1
# IP range analysis
malwoverview -i 192.168.1.0/24
# Include geolocation
malwoverview -i 192.168.1.100 --geolocation
# Port scanning
malwoverview -i 192.168.1.100 --ports
# Include WHOIS information
malwoverview -i 192.168.1.100 --whoisDomain Analysis
bash
# Domain reputation check
malwoverview -d suspicious-domain.com
# Include subdomains
malwoverview -d domain.com --subdomains
# DNS analysis
malwoverview -d domain.com --dns
# Certificate analysis
malwoverview -d domain.com --certificate
# Historical data
malwoverview -d domain.com --historical
# Passive DNS
malwoverview -d domain.com --passive-dnsAdvanced Analysis
Threat Intelligence Integration
bash
# VirusTotal analysis
malwoverview -f file.exe --vt-only
# Hybrid Analysis
malwoverview -f file.exe --ha-only
# Multiple engines
malwoverview -f file.exe --engines vt,ha,urlvoid
# Custom API keys
malwoverview -f file.exe --vt-api your_api_key
# Rate limiting
malwoverview -f file.exe --rate-limit 4
# Timeout settings
malwoverview -f file.exe --timeout 30Metadata Extraction
bash
# Extract PE metadata
malwoverview -f file.exe --pe-info
# Extract strings
malwoverview -f file.exe --strings
# Extract imports
malwoverview -f file.exe --imports
# Extract exports
malwoverview -f file.exe --exports
# Extract resources
malwoverview -f file.exe --resources
# Extract certificates
malwoverview -f file.exe --certificates
# All metadata
malwoverview -f file.exe --all-metadataBehavioral Analysis
bash
# Dynamic analysis
malwoverview -f file.exe --dynamic
# Sandbox analysis
malwoverview -f file.exe --sandbox cuckoo
# Network behavior
malwoverview -f file.exe --network-behavior
# File system behavior
malwoverview -f file.exe --fs-behavior
# Registry behavior
malwoverview -f file.exe --registry-behavior
# Process behavior
malwoverview -f file.exe --process-behaviorReporting and Output
Output Formats
bash
# JSON output
malwoverview -f file.exe -o json
# CSV output
malwoverview -f file.exe -o csv
# XML output
malwoverview -f file.exe -o xml
# HTML report
malwoverview -f file.exe -o html
# PDF report
malwoverview -f file.exe -o pdf
# Custom template
malwoverview -f file.exe --template custom_template.jinja2Report Customization
bash
# Include specific sections
malwoverview -f file.exe --sections detection,metadata,behavior
# Exclude sections
malwoverview -f file.exe --exclude-sections strings,imports
# Custom report title
malwoverview -f file.exe --title "Malware Analysis Report"
# Add analyst information
malwoverview -f file.exe --analyst "John Doe" --organization "Security Team"
# Include timestamps
malwoverview -f file.exe --timestamps
# Add executive summary
malwoverview -f file.exe --executive-summaryData Export
bash
# Export to database
malwoverview -f file.exe --export-db sqlite:///analysis.db
# Export to SIEM
malwoverview -f file.exe --export-siem splunk
# Export to MISP
malwoverview -f file.exe --export-misp http://misp-server.com
# Export IOCs
malwoverview -f file.exe --export-iocs iocs.txt
# Export YARA rules
malwoverview -f file.exe --export-yara rules.yar
# Export STIX
malwoverview -f file.exe --export-stix report.stixAutomation and Scripting
Batch Processing
bash
# Process hash list
cat << 'EOF' > hash_list.txt
5d41402abc4b2a76b9719d911017c592
aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
EOF
malwoverview -H @hash_list.txt -o json > batch_results.json
# Process URL list
cat << 'EOF' > url_list.txt
http://suspicious-site1.com
http://malicious-domain.net
http://phishing-site.org
EOF
malwoverview -u @url_list.txt -o csv > url_analysis.csvAutomation Scripts
bash
#!/bin/bash
# Automated malware analysis script
cat << 'EOF' > analyze_samples.sh
#!/bin/bash
SAMPLE_DIR="/path/to/samples"
OUTPUT_DIR="/path/to/reports"
DATE=$(date +%Y%m%d_%H%M%S)
# Create output directory
mkdir -p "$OUTPUT_DIR/$DATE"
# Analyze all samples
for file in "$SAMPLE_DIR"/*; do
if [ -f "$file" ]; then
filename=$(basename "$file")
echo "Analyzing $filename..."
malwoverview -f "$file" -o json > "$OUTPUT_DIR/$DATE/${filename}.json"
malwoverview -f "$file" -o html > "$OUTPUT_DIR/$DATE/${filename}.html"
# Extract IOCs
malwoverview -f "$file" --export-iocs "$OUTPUT_DIR/$DATE/${filename}_iocs.txt"
fi
done
# Generate summary report
python3 generate_summary.py "$OUTPUT_DIR/$DATE" > "$OUTPUT_DIR/$DATE/summary.html"
echo "Analysis complete. Reports saved to $OUTPUT_DIR/$DATE"
EOF
chmod +x analyze_samples.shPython Integration
python
#!/usr/bin/env python3
# Python wrapper for Malwoverview
import subprocess
import json
import sys
class MalwoverviewAPI:
def __init__(self, config_file=None):
self.config_file = config_file
self.base_cmd = ['python3', 'malwoverview.py']
if config_file:
self.base_cmd.extend(['-c', config_file])
def analyze_file(self, file_path, output_format='json'):
cmd = self.base_cmd + ['-f', file_path, '-o', output_format]
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode == 0:
if output_format == 'json':
return json.loads(result.stdout)
return result.stdout
else:
raise Exception(f"Analysis failed: {result.stderr}")
def analyze_hash(self, hash_value, output_format='json'):
cmd = self.base_cmd + ['-H', hash_value, '-o', output_format]
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode == 0:
if output_format == 'json':
return json.loads(result.stdout)
return result.stdout
else:
raise Exception(f"Analysis failed: {result.stderr}")
def analyze_url(self, url, output_format='json'):
cmd = self.base_cmd + ['-u', url, '-o', output_format]
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode == 0:
if output_format == 'json':
return json.loads(result.stdout)
return result.stdout
else:
raise Exception(f"Analysis failed: {result.stderr}")
# Usage example
if __name__ == "__main__":
api = MalwoverviewAPI()
# Analyze file
try:
result = api.analyze_file('/path/to/sample.exe')
print(f"Detection ratio: {result.get('detection_ratio', 'N/A')}")
print(f"Threat level: {result.get('threat_level', 'N/A')}")
except Exception as e:
print(f"Error: {e}")Integration Examples
SIEM Integration
bash
# Splunk integration
#!/bin/bash
cat << 'EOF' > splunk_integration.sh
#!/bin/bash
# Analyze file and send to Splunk
analyze_and_send() {
local file="$1"
local splunk_index="malware_analysis"
# Analyze file
result=$(malwoverview -f "$file" -o json)
# Send to Splunk
echo "$result" | curl -k -H "Authorization: Splunk $SPLUNK_TOKEN" \
-X POST "$SPLUNK_HEC_URL/services/collector" \
-d @- \
-H "Content-Type: application/json"
}
# Monitor directory for new samples
inotifywait -m -e create /path/to/samples --format '%w%f' | while read file; do
analyze_and_send "$file"
done
EOF
chmod +x splunk_integration.shMISP Integration
python
#!/usr/bin/env python3
# MISP integration script
import requests
import json
import subprocess
from pymisp import PyMISP
class MalwoverviewMISP:
def __init__(self, misp_url, misp_key):
self.misp = PyMISP(misp_url, misp_key, ssl=False)
def analyze_and_create_event(self, file_path, event_info):
# Analyze with Malwoverview
cmd = ['malwoverview', '-f', file_path, '-o', 'json']
result = subprocess.run(cmd, capture_output=True, text=True)
if result.returncode != 0:
raise Exception(f"Analysis failed: {result.stderr}")
analysis_data = json.loads(result.stdout)
# Create MISP event
event = self.misp.new_event(info=event_info)
# Add file hash
if 'md5' in analysis_data:
self.misp.add_hashes(event, md5=analysis_data['md5'])
if 'sha1' in analysis_data:
self.misp.add_hashes(event, sha1=analysis_data['sha1'])
if 'sha256' in analysis_data:
self.misp.add_hashes(event, sha256=analysis_data['sha256'])
# Add detection information
if 'detections' in analysis_data:
for detection in analysis_data['detections']:
self.misp.add_attribute(event, 'text', detection['name'])
# Add network indicators
if 'network_indicators' in analysis_data:
for indicator in analysis_data['network_indicators']:
if indicator['type'] == 'domain':
self.misp.add_attribute(event, 'domain', indicator['value'])
elif indicator['type'] == 'ip':
self.misp.add_attribute(event, 'ip-dst', indicator['value'])
elif indicator['type'] == 'url':
self.misp.add_attribute(event, 'url', indicator['value'])
return event
# Usage
misp_integration = MalwoverviewMISP('https://misp.example.com', 'your_api_key')
event = misp_integration.analyze_and_create_event('/path/to/malware.exe', 'Malware Analysis')Threat Hunting Workflow
bash
#!/bin/bash
# Automated threat hunting workflow
cat << 'EOF' > threat_hunting.sh
#!/bin/bash
HUNT_DIR="/tmp/threat_hunt_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$HUNT_DIR"
# Function to analyze suspicious files
hunt_files() {
echo "Hunting for suspicious files..."
# Find recently modified executables
find /tmp /var/tmp -name "*.exe" -mtime -1 2>/dev/null | while read file; do
echo "Analyzing: $file"
malwoverview -f "$file" -o json > "$HUNT_DIR/$(basename $file).json"
done
# Find files with suspicious names
find / -name "*crypt*" -o -name "*hack*" -o -name "*payload*" 2>/dev/null | while read file; do
if [ -f "$file" ]; then
echo "Analyzing suspicious file: $file"
malwoverview -f "$file" -o json > "$HUNT_DIR/suspicious_$(basename $file).json"
fi
done
}
# Function to analyze network connections
hunt_network() {
echo "Hunting for suspicious network activity..."
# Get active connections
netstat -an | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort -u | while read ip; do
if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Analyzing IP: $ip"
malwoverview -i "$ip" -o json > "$HUNT_DIR/ip_$ip.json"
fi
done
}
# Function to analyze suspicious domains
hunt_domains() {
echo "Hunting for suspicious domains..."
# Extract domains from browser history, logs, etc.
grep -h "http" /var/log/*.log 2>/dev/null | grep -oE 'https?://[^/]+' | cut -d/ -f3 | sort -u | while read domain; do
echo "Analyzing domain: $domain"
malwoverview -d "$domain" -o json > "$HUNT_DIR/domain_$domain.json"
done
}
# Execute hunting functions
hunt_files
hunt_network
hunt_domains
# Generate summary report
echo "Generating threat hunting report..."
python3 << 'PYTHON'
import json
import glob
import os
hunt_dir = os.environ.get('HUNT_DIR', '/tmp/threat_hunt_latest')
results = []
for json_file in glob.glob(f"{hunt_dir}/*.json"):
try:
with open(json_file, 'r') as f:
data = json.load(f)
if data.get('threat_level', 0) > 5:
results.append({
'file': json_file,
'threat_level': data.get('threat_level'),
'detections': data.get('detections', [])
})
except:
continue
print(f"Threat Hunting Summary - {len(results)} high-risk items found:")
for result in sorted(results, key=lambda x: x['threat_level'], reverse=True):
print(f"- {result['file']}: Threat Level {result['threat_level']}")
PYTHON
echo "Threat hunting complete. Results saved to $HUNT_DIR"
EOF
chmod +x threat_hunting.shTroubleshooting
Common Issues
bash
# API key configuration issues
malwoverview --test-apis
# Network connectivity issues
malwoverview --test-connectivity
# Permission issues
sudo chown -R $USER:$USER ~/.malwoverview
chmod 600 ~/.malwoverview/malwoverview.conf
# Python dependency issues
pip3 install --upgrade requests colorama configparser pefile python-magic
# File magic issues
sudo apt install libmagic1 libmagic-dev
pip3 install --upgrade python-magicDebug Mode
bash
# Enable debug logging
malwoverview -f file.exe --debug
# Verbose output
malwoverview -f file.exe -v
# Log to file
malwoverview -f file.exe --log-file analysis.log
# Test specific API
malwoverview --test-api virustotal
# Check configuration
malwoverview --show-configPerformance Optimization
bash
# Increase timeout for slow APIs
malwoverview -f file.exe --timeout 60
# Reduce rate limiting
malwoverview -f file.exe --rate-limit 1
# Use caching
malwoverview -f file.exe --cache-results
# Parallel processing
malwoverview -d /samples/ --threads 3
# Memory optimization
export PYTHONOPTIMIZE=1
ulimit -v 1048576 # Limit virtual memory⚠️ Security Notice: Malwoverview is a threat hunting and malware analysis tool that should be used responsibly and in accordance with applicable laws and regulations. When analyzing suspicious files or URLs, ensure you have proper authorization and are operating in a secure, isolated environment. The tool integrates with various third-party services, so be mindful of data privacy and sharing policies. Always verify the legitimacy of samples before analysis and follow your organization's incident response procedures when handling potential threats.
📚 Additional Resources: