Introduction:

As a Security Operations Center (SOC) analyst, I found that the process of examining URLs for potential threats could be time-consuming and tedious. This involved capturing screenshots of VirusTotal results, verifying if the URL was flagged as malicious by vendors on VirusTotal, and scrutinizing WHOIS data to determine the domain’s registration date. To revolutionize this process and offer valuable insights into URL security, I crafted a Python script that harnesses the capabilities of the VirusTotal API and Selenium WebDriver.

In this engaging blog post, we’ll delve into this powerful Python script, designed to simplify URL analysis for security analysts and web developers alike. The script delivers essential information, such as the VirusTotal score, result category, and WHOIS data, at your fingertips. What’s more, it automatically captures and saves screenshots of the URL’s details page and WHOIS tab on VirusTotal. This all-in-one tool is tailored to optimize the safety and security of websites while dramatically reducing the time and effort required to investigate potentially malicious URLs. Join us as we explore this game-changing solution and transform your URL analysis experience.

Code Overview:

The script starts by importing the required modules and packages, such as time, base64, click, tldextract, whois, defang, selenium, and virustotal_python. These modules are essential for handling various tasks like adding delays, encoding URLs, creating command-line interfaces, extracting domains, and interacting with the VirusTotal API.

Key Functions:

1. get_virustotal_report(api_key, url): This function returns the VirusTotal report for a given URL using the provided API key.

2. display_vt_score_and_category(report): This function displays the VirusTotal score and result category for the given report.

3. get_whois_info(domain): This function retrieves the WHOIS information for a given domain and returns relevant fields for security checks.

4. take_details_screenshot(url, screenshot_file): This function takes a screenshot of the details page for a given URL and saves it to the specified file name.

5. take_whois_screenshot(url, whois_screenshot_file): This function takes a screenshot of the WHOIS tab on the VirusTotal website for a given URL and saves it to the specified file name.

6. defang_or_refang_url(url): This function defangs or refangs a URL depending on whether it is already defanged or not.

7. extract_domain(url): This function extracts the domain from a given URL and returns it.

Running the Script:

The script can be executed from the command line by providing the required options like –api_key, –url, –details_screenshot, and –whois_screenshot. The main function analyze_url runs when the script is executed directly, performing tasks like defanging/refanging the URL, extracting the domain, getting the VirusTotal report, displaying the VT score and category, retrieving WHOIS information, and taking screenshots of the details and WHOIS pages.

Conclusion:

In summary, this Python script offers an easy way to analyze a URL using the VirusTotal API and Selenium WebDriver, providing valuable information to help ensure website security. By utilizing this script, users can quickly gather information about a URL and assess its safety.