Wordfence Intelligence Documentation
V2: Accessing and Querying the Malware Hash Feed (Enterprise)
Wordfence Intelligence Malware Hash Feed
The Wordfence Intelligence Malware Hash Feed provides hashes of four different types for the content of over 3 million files that are known to be malicious.
API Endpoint
GET /api/intelligence/v2/malware/hashesIf no parameters are provided, the feed will be returned in its entirety.
Parameters
| Parameter | Format | Description |
|---|---|---|
| fields | Array or Comma-delimited list | The list of fields to include in the response |
| omit-header | Boolean | If specified, the column headers will be omitted from the response |
| limit | Integer | The maximum number of results to include in the response |
| offset | Integer | The position, relative to the start of the result set (0), from which to return results. This can be used for paginating results. |
| sort | Array or string | The field(s) by which to sort the results |
| direction | Array or string | The direction in which to sort the results (asc for ascending or desc for descending). If an array is provided, it should correspond to the fields specified in the sort parameter. |
| plain | Boolean | If specified, text/plain will be used as the content type of the response rather than text/csv. |
| <field-name> | String | Filter based on the value of the specified field. See “Filtering Results” for additional details. |
Parameter Types
| Type | Description |
|---|---|
| Boolean | If present in the request query string, this parameter is interpreted as a boolean true, otherwise it will be interpreted as false |
| Array | Brackets([]) in parameter names can be used to pass an array. For instance, to pass md5 and sha1 as values for the fields parameter, the following query string can be used: fields[]=md5&fields[]=sha1 |
Filtering Results
Results may be filtered by specifying the field name and value in the query string. If multiple conditions are specified, they will be combined with a logical “and” operation.
Operators
By default filters are exact matches, but the following operators may be specified at the beginning of values if different conditions are desired.
| Operator | Description |
|---|---|
= |
Equal (exact match; default behavior) |
< |
Less than |
<= |
Less than or equal to |
> |
Greater than |
>= |
Greater than or equal to |
<> |
Not equal to |
Data Format
Response data is provided in the CSV (comma-separated values) format.
Fields
| Field | Type | Description |
|---|---|---|
| md5 | Hex | The MD5 hash |
| sha1 | Hex | The SHA1 hash |
| sha256 | Hex | The SHA256 hash |
| sha256_normalized | Hex | The normalized SHA256 hash |
| sightings | Integer | The total number of sightings of this hash |
| first_seen | Date | This earliest time this hash was encountered |
| last_seen | Date | The latest time this hash was encountered |
Date Format
Date values are provided as strings in the following format: YYYY-MM-DD
YYYY– 4 digit yearMM– 2 digit year with leading zeroesDD– 2 digit month with leading zeros
Wildcard Matches
The asterisk character(*) may be specified in field values to invoke wildcard matching. Wildcard matching may not be combined with any other operator.
Hash Types
The following hash types are available for each record in the feed:
- MD5
- SHA1
- SHA256
- SHA256 – Normalized
Normalized Hashes
For normalized hashes, whitespace characters are removed from the input data prior to computation. The following characters are considered whitespace for this purpose:
| Character | Escape Sequence | ASCII Code |
|---|---|---|
| Space | ” “ | 32 |
| Tab | “\t” | 9 |
| Line Feed | “\n” | 10 |
| Carriage Return | “\r” | 13 |