submit_sample
Submit suspicious files or URLs to a cloud detonation sandbox for malware analysis. Supports Hybrid Analysis, Triage, and ANY.RUN backends.
Instructions
Submit a suspicious file or URL to a cloud detonation sandbox.
WARNING: on the free tiers of Hybrid Analysis and tria.ge, submitted files/URLs and their analysis results are PUBLIC and shared with third parties; tria.ge community submissions cannot be deleted. Do not submit confidential or internal files unless you are using a private/enterprise instance.
Because of that, for the 'hybrid_analysis' and 'triage' backends this tool REFUSES to submit unless acknowledge_public_submission=true. First call without it to receive the warning, confirm with the user, then re-call with acknowledge_public_submission=true.
This tool returns IMMEDIATELY with a task_id; detonation runs asynchronously and typically takes 2-10 minutes. Poll the result with get_report(task_id), respecting its poll_after_seconds hint.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| target | Yes | Local file path (target_type='file') or an http(s) URL (target_type='url'). Files are uploaded as-is; this server never executes them locally. | |
| sandbox | Yes | Detonation backend: 'hybrid_analysis', 'triage', or 'anyrun' (anyrun requires a paid plan key). 'malwarebazaar' cannot detonate -- use search_hash for static hash intel instead. | |
| environment | No | Optional VM/environment selector. Hybrid Analysis accepts an environment id ('100','110','120','140','200','300') or a fuzzy name ('win10', 'windows 11', 'linux', 'android'); default is Windows 10 64-bit. tria.ge auto-selects and ignores this. ANY.RUN passes it through as env_os. | |
| target_type | Yes | 'file' or 'url'. | |
| acknowledge_public_submission | No | Must be true to actually submit to the public-tier backends (hybrid_analysis, triage) -- see the warning above. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||