Attachment: Embedded Javascript in SVG file
Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
Sublime rule (View on GitHub)
1name: "Attachment: Embedded Javascript in SVG file"
2description: |
3 Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
4references:
5 - "https://delivr.to/payloads?id=511ae995-5401-4c60-ae50-08a5b12b3f4b"
6 - "https://delivr.to/payloads?id=28178b12-766d-44d5-8654-d372a94ff961"
7 - "https://delivr.to/payloads?id=3dce858d-7be3-412e-85d9-84f3b9845275"
8 - "https://delivr.to/payloads?id=a0a38332-21b6-4394-b901-3697008e3440"
9 - "https://delivr.to/payloads?id=e30f12f2-de69-4e86-8b14-3c9b4e466bea"
10 - "https://delivr.to/payloads?id=9e1b64c8-748d-44f3-aaeb-3efbce9f84e3"
11 - "https://delivr.to/payloads?id=802a25c6-4a3d-468b-81d5-fc7313efd878"
12
13type: "rule"
14severity: "high"
15source: |
16 type.inbound
17 and any(attachments,
18 (
19 (
20 .file_extension in~ ("svg", "svgz")
21 or .content_type in~ ("image/svg+xml")
22 or .file_type == "svg"
23 )
24 and (
25 strings.ilike(file.parse_text(.,
26 encodings=[
27 "ascii",
28 "utf8",
29 "utf16-le"
30 ]
31 ).text,
32 "*onload*",
33 "*window.location.href*",
34 "*onerror*",
35 "*CDATA*",
36 "*<script*",
37 "*</script*",
38 "*atob*",
39 "*location.assign*",
40 "*decodeURIComponent*"
41 )
42 or regex.icontains(file.parse_text(.,
43 encodings=[
44 "ascii",
45 "utf8",
46 "utf16-le"
47 ]
48 ).text,
49 '<iframe[^\>]+src\s*=\s*\"data:[^\;]+;base64,'
50 )
51 or any(beta.scan_base64(file.parse_text(.).text,
52 encodings=["ascii", "utf8", "utf16-le"]
53 ),
54 strings.ilike(.,
55 "*onload*",
56 "*window.location.href*",
57 "*onerror*",
58 "*CDATA*",
59 "*<script*",
60 "*</script*",
61 "*atob*",
62
63 "*location.assign*",
64 "*decodeURIComponent*"
65 )
66 )
67 )
68 )
69 or (
70 (
71 .file_extension in $file_extensions_common_archives
72 or .file_type == "gz"
73 or .content_type == "application/x-gzip"
74 )
75 and any(file.explode(.),
76 (
77 .file_extension in~ ("svg", "svgz")
78 or .flavors.mime == "image/svg+xml"
79 )
80 and any(.scan.strings.strings,
81 strings.ilike(.,
82 "*onload*",
83 "*window.location.href*",
84 "*onerror*",
85 "*CDATA*",
86 "*<script*",
87 "*</script*",
88 "*atob*",
89 "*location.assign*",
90 "*decodeURIComponent*"
91 )
92 )
93 )
94 )
95 )
96
97attack_types:
98 - "Malware/Ransomware"
99tactics_and_techniques:
100 - "Scripting"
101detection_methods:
102 - "Archive analysis"
103 - "File analysis"
104 - "Sender analysis"
105 - "XML analysis"
106id: "f70293bc-b6da-5dbd-8756-e3ca282aba35"