Attachment: Embedded Javascript in SVG file

Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.

Sublime rule (View on GitHub)

  1name: "Attachment: Embedded Javascript in SVG file"
  2description: |
  3    Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
  4references:
  5  - "https://delivr.to/payloads?id=511ae995-5401-4c60-ae50-08a5b12b3f4b"
  6  - "https://delivr.to/payloads?id=28178b12-766d-44d5-8654-d372a94ff961"
  7  - "https://delivr.to/payloads?id=3dce858d-7be3-412e-85d9-84f3b9845275"
  8  - "https://delivr.to/payloads?id=a0a38332-21b6-4394-b901-3697008e3440"
  9  - "https://delivr.to/payloads?id=e30f12f2-de69-4e86-8b14-3c9b4e466bea"
 10  - "https://delivr.to/payloads?id=9e1b64c8-748d-44f3-aaeb-3efbce9f84e3"
 11  - "https://delivr.to/payloads?id=802a25c6-4a3d-468b-81d5-fc7313efd878"
 12
 13type: "rule"
 14severity: "high"
 15source: |
 16  type.inbound
 17  and any(attachments,
 18          (
 19            (
 20              .file_extension in~ ("svg", "svgz")
 21              or .content_type in~ ("image/svg+xml")
 22              or .file_type == "svg"
 23            )
 24            and (
 25              strings.ilike(file.parse_text(.,
 26                                            encodings=[
 27                                              "ascii",
 28                                              "utf8",
 29                                              "utf16-le"
 30                                            ]
 31                            ).text,
 32                            "*onload*",
 33                            "*window.location.href*",
 34                            "*onerror*",
 35                            "*CDATA*",
 36                            "*<script*",
 37                            "*</script*",
 38                            "*atob*",
 39                            "*location.assign*",
 40                            "*decodeURIComponent*"
 41              )
 42              or regex.icontains(file.parse_text(.,
 43                                                 encodings=[
 44                                                   "ascii",
 45                                                   "utf8",
 46                                                   "utf16-le"
 47                                                 ]
 48                                 ).text,
 49                                 '<iframe[^\>]+src\s*=\s*\"data:[^\;]+;base64,'
 50              )
 51              or any(beta.scan_base64(file.parse_text(.).text,
 52                                      encodings=["ascii", "utf8", "utf16-le"]
 53                     ),
 54                     strings.ilike(.,
 55                                   "*onload*",
 56                                   "*window.location.href*",
 57                                   "*onerror*",
 58                                   "*CDATA*",
 59                                   "*<script*",
 60                                   "*</script*", 
 61                                   "*atob*",
 62
 63                                   "*location.assign*",
 64                                   "*decodeURIComponent*"
 65                     )
 66              )
 67            )
 68          )
 69          or (
 70            (
 71              .file_extension in $file_extensions_common_archives
 72              or .file_type == "gz"
 73              or .content_type == "application/x-gzip"
 74            )
 75            and any(file.explode(.),
 76                    (
 77                      .file_extension in~ ("svg", "svgz")
 78                      or .flavors.mime == "image/svg+xml"
 79                    )
 80                    and any(.scan.strings.strings,
 81                            strings.ilike(.,
 82                                          "*onload*",
 83                                          "*window.location.href*",
 84                                          "*onerror*",
 85                                          "*CDATA*",
 86                                          "*<script*",
 87                                          "*</script*",
 88                                          "*atob*",
 89                                          "*location.assign*",
 90                                          "*decodeURIComponent*"
 91                            )
 92                    )
 93            )
 94          )
 95  )  
 96 
 97attack_types:
 98  - "Malware/Ransomware"
 99tactics_and_techniques:
100  - "Scripting"
101detection_methods:
102  - "Archive analysis"
103  - "File analysis"
104  - "Sender analysis"
105  - "XML analysis"
106id: "f70293bc-b6da-5dbd-8756-e3ca282aba35"
to-top