malicious_emails
Malicious Emails
Malicious Emails
The malicious_emails data set contains indicators extracted from malicious email headers. When a malicious email (1 or more AV detections) is uploaded to VirusTotal or some other source, we download the email and parse the header to extract data such as the email’s routing information, sending emails, recipients, subject lines etc. Indicators are geo-located and sector information is added for context.
Field | Description |
area_code | area code geolocated from indicator |
city | city name geolocated from indicator |
country | two character country code geolocated from indicator |
detection | number of positive antivirus detections |
domain_cat | general site categorization of indicator |
email_type | type of email: either MSG or EML |
etl_date | date data was exported, transformed or loaded(ETL) |
first_seen | when email first observed |
indicator | indicator extracted from email header |
indicator_context | additional context on indicator, defines the indicator in the context of the email header |
indicator_context | context of indicator as it applies to the email header |
indicator_type | type of indicator extracted from email header |
last_seen | when email last observed |
location | latitude longitude coordinates |
postal_code | postal code geolocated from indicator |
raw_data_file | email file - named with prefix email_+sha256 hash |
reference | link to Virus Total |
region | region name geolocated from indicator |
url_cat | specific site categorization of indicator |
Malicious Email Data Sets all pivot on "reference" which is the common link to VirusTotal Metadata
Malicious Email Detections
The malicious_email_detections data set is a companion data set to Malicious Emails and contains vendor AV detections. We have also normalized the detection name in order to allow for easier analytics. For example, a detection name of Exploit.ComObj.CVE-2012-0158.hzuf would be changed to just cve-2012-0158.
Field | Description |
detection_name | antivirus detection name |
detection_shortname | normalized antivirus name |
etl_date | date data was exported, transformed or loaded(ETL) |
first_seen | when email first observed |
last_seen | when email last observed |
raw_data_file | email file - named with prefix email_+sha256 hash |
reference | link to Virus Total |
vendor | antivirus vendor |
Malicious Email Data Sets all pivot on "reference" which is the common link to VirusTotal Metadata
Malicious Email Context
Field | Description |
detections | complete list of antivirus detection names |
etl_date | date data was exported, transformed or loaded(ETL) |
first_seen | when email first observed |
last_seen | when email last observed |
raw_data_file | email file - named with prefix email_+sha256 hash |
recipients | email account(s) receiving malicious email |
reference | link to Virus Total |
sender | email account sending email |
subject_line | observed subject line |
targets | organization receiving malicious email |
Malicious Email Data Sets all pivot on "reference" which is the common link to VirusTotal Metadata
Last updated