How do I look up a file hash to check for malware?

Run /hash-investigation in your AI coding agent with the MD5, SHA1 or SHA256 hash. It queries VirusTotal and OTX and returns the detection ratio, malware family, behavioural tags and pivot candidates.

What is a good detection ratio for a malicious file?

There is no fixed threshold, but a hash flagged by many reputable engines is a strong signal. The skill surfaces the full ratio and community context so you can weigh it rather than relying on a single number.

Can a file hash lookup find related indicators?

Yes. Alongside the verdict, the skill returns pivots such as IPs the sample communicates with and files it drops, so you can move from one hash to the wider activity around it.

CTI Skill · Investigation

File Hash Investigation.

/hash-investigation

A file hash lookup tells you whether a sample is known-bad, what malware family it belongs to, and how it behaves. This free, open-source skill runs inside your AI coding agent and characterises any MD5, SHA1 or SHA256 hash by querying threat-intel sources and consolidating the result. It is built for SOC analysts and CTI practitioners triaging files flagged by EDR, sandboxes or email gateways.

Get the free pack on GitHub →Or join the free tier waitlist

What it does.

It checks the hash against VirusTotal and OTX, and can trigger a deeper malware-analysis review for novel samples. The detection signals and community context are consolidated into one summary so you can judge the file at a glance.

When to use it.

Use it during SOC triage when EDR or a sandbox surfaces a hash and you need to know whether it is a known threat. It also helps CTI analysts confirm a sample's family and pull the related indicators they need to expand an investigation.

What you get back.

You get the detection ratio across engines, the likely malware family, behavioural tags, and pivot candidates such as communicating IPs and dropped files that point you to the next step.

How it fits your workflow.

Run it from Claude Code, Cursor, Codex or Windsurf with a single command. The free VirusTotal and OTX tiers are enough to start, and the skill degrades gracefully when a key is missing.

Keep going.

Frequently Asked Questions.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.