Get a WildFire Analysis Report (WildFire API)

Use this resource to get a WildFire Analysis report for a specified sample hash value.
Because sample analysis normally takes approximately 5 minutes to complete, if you Submit Files and Links through the WildFire API, you should wait at least 5 minutes before you request a WildFire Analysis Report or Get a WildFire Verdict (WildFire API) on that submission.

Resource

/get/report/
Code copied to clipboard
Unable to copy due to lack of browser support.

Request Parameters

Use the following form parameters when requesting a WildFire Analysis report:
Parameters
Description
Example
apikey
Code copied to clipboard
Unable to copy due to lack of browser support.
(Required) API key
Example:
apikey=b0e0e395614d46170ee7498452967c71
Code copied to clipboard
Unable to copy due to lack of browser support.
hash
Code copied to clipboard
Unable to copy due to lack of browser support.
(Required) MD5 or SHA-256 hash value of the sample
Example:
hash=afe6b95ad95bc689c356f34ec8d9094
	c495e4af57c932ac413b65ef132063acc
Code copied to clipboard
Unable to copy due to lack of browser support.
format
Code copied to clipboard
Unable to copy due to lack of browser support.
Report format
Acceptable values:
  • xml (Default)
  • pdf

Example Request

Make a POST request to the /get/report resource and include the API key, the MD5 or SHA-256 hash value of the sample, and optionally include the platform, similar to the following cURL command:
curl
-JO -F 'apikey=b0e0e395615d46120ee7498452967c72' -F 'hash=04f4f1c83f1e69b1f055202964536f13'
-F 'format=xml' 'https://wildfire.paloaltonetworks.com/publicapi/get/report'
Code copied to clipboard
Unable to copy due to lack of browser support.
The response saves the WildFire analysis report in either XML or PDF format. When requesting a PDF, the response uses a application/octet-stream content-type.
Here is an example XML report:
<wildfire> 
    <version>2.0</version> 
    <file_info> 
        <malware>yes</malware> 
        <sha1>828f02e6ca4bcf6c30264137f758fbe20dd866db</sha1> 
        <filetype>PE</filetype> 
        <sha256>ca007e3b395688f5f3062729978dcdbadc90d9c3501d9a89c139d11c58d2a15e</sha256> 
        <md5>04f4f1c83f1e69b1f055202964536f13</md5> 
        <size>796268</size> 
    </file_info> 
<task_info> 
<report> 
  <version>3.0</version> 
  <platform>204</platform> 
  <software>PE Static Analyzer</software> 
  <sha256>ca007e3b395688f5f3062729978dcdbadc90d9c3501d9a89c139d11c58d2a15e</sha256> 
  <md5>04f4f1c83f1e69b1f055202964536f13</md5> 
  <malware>no</malware> 
  <summary> 
    <entry details="Entropy is a measurement of the randomness in data. Overlays with high entropy indicate encoded or encrypted data." id="3030" score="0.0">Contains overlay data with high entropy</entry> 
    <entry details="Sections with a large discrepancy between raw and virtual sizes may indicate a packed or obfuscated PE file." id="3013" score="0.0">Contains sections with size discrepancies</entry> 
    <entry details="Thread-local storage (TLS) is normally used to manage data in multithreaded applications. However, it can also allow execution of code outside of the expected entry point of a PE file." id="3019" score="0.0">Contains a TLS section</entry> 
    <entry details="The PE file checksum is required for drivers, boot-time DLLs, and other DLLs loaded into secure system processes. Malware often ignores this value or sets it to zero." id="3015" score="0.0">Contains an invalid checksum</entry> 
    <entry details="Overlay data is extra data appended to the end of a PE image. Many legitimate files, including all files that are digitally signed, contain overlay data. However, malware often uses overlays to embed encoded or encrypted data as well." id="3029" score="0.0">Contains overlay data</entry> 
    <entry details="Standard section names are defined by the compiler. Non-standard section names may indicate a packed or obfuscated PE file." id="3003" score="0.0">Contains non-standard section names</entry> 
    <entry details="Sections with zero size indicate a packed or obfuscated PE file." id="3036" score="0.0">Contains sections with zero size</entry> 
  </summary> 
</report> 
<!-- TRUNCATED RESPONSE --> 
</task_info> 
</wildfire> 
Code copied to clipboard
Unable to copy due to lack of browser support.

Related Documentation