popular_threat_classification

Human readable names extracted from the AV verdicts and clustering hashes

popular_threat_classification extracts human readable names extracted from AV verdicts and clustering hashes. It contains the following fields:

  • popular_threat_name: <list of dictionaries> dictionaries where 'value' is a token and 'count' is how many AV engines had said token. The dictionaries are sorted in decreasing frequency.
  • popular_threat_category: <list of dictionaries> similar to popular_threat_name but these tokens are considered more generic or, in other words, categories of malware, instead of individual families. Unlike popular_threat_name, popular_threat_category is somewhat normalized. E.g.: 'ransom' becomes 'ransomware'.
  • suggested_threat_label: <string> a string combining part of popular_threat_category and popular_threat_name.
{
	"data": {
		...
		"attributes": {
			...
			"popular_threat_classification": {
				"suggested_threat_label": <string>,
				"popular_threat_category": [
					{
						"count": <int>,
						"value": <string>
					},
					...
				],
				"popular_threat_name": [
					{
						"count": <int>,
						"value": <string>
					},
					...
				]
			},
		}
	}
}
{
	"data": {
		...
		"attributes": {
			...
			"popular_threat_classification": {
				"suggested_threat_label": "adware.jatift/machaer",
				"popular_threat_category": [
					{
						"count": 8,
						"value": "adware"
					}
				],
				"popular_threat_name": [
					{
						"count": 8,
						"value": "jatift"
					},
					{
						"count": 7,
						"value": "machaer"
					},
					{
						"count": 4,
						"value": "mailru"
					}
				]
			}
		}
	}
}