Suspicious File Detonation in Hybrid Analysis
Submit a suspicious file to Hybrid Analysis for sandbox detonation and return the scan job ID.
Overview
When a file comes in that VirusTotal doesn't have a verdict on, the next step is dynamic analysis in a sandbox. This playbook downloads the file from a given URL, submits it to Hybrid Analysis for detonation, and returns the scan job ID so your analyst (or another playbook) can check the verdict when it's ready.
Who this is for: Malware analysts and SOC tier-2 performing deeper triage on unknown files
Why automate this
Some files won't match any existing hash in VirusTotal. They're too new, too targeted, or custom-built for the attack. A sandbox detonation surfaces the real behavior: network callouts, file writes, process spawns. This playbook makes that capability available to every analyst with a single action.
How it works
- 01
Accept a file URL as input
- 02
Download the file to the playbook execution environment
- 03
Submit the file to Hybrid Analysis sandbox via the API
- 04
Return the scan job ID for downstream polling
Impact
Analyzes never-before-seen files automatically
Reveals behavioral IOCs that static analysis misses
Low-friction access to sandboxing without manual uploads
Can be triggered from Slack or chained into email triage playbooks
Related playbooks
Keep automating
CrowdStrike IOC Hunt Across Fleet
Search your entire CrowdStrike fleet for a specific Indicator of Compromise and report matches to Slack.
Splunk Incident to ServiceNow Ticket + Slack Alert
Automatically open a ServiceNow ticket and notify your security channel whenever a Splunk incident fires.
Outlook Phishing Detection with VirusTotal
Scan every inbound Outlook email for malicious URLs and attachments, delete threats, and notify Slack.
Bring this playbook into your SOC
See Deployer Workflows in action with a live walkthrough of this playbook. We'll show you how to connect your SIEM, EDR, and ticketing tools in under 15 minutes.