Attachment: Embedded Javascript in SVG file
Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
Sublime rule (View on GitHub)
1name: "Attachment: Embedded Javascript in SVG file"
2description: |
3 Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
4references:
5 - "https://delivr.to/payloads?id=511ae995-5401-4c60-ae50-08a5b12b3f4b"
6 - "https://delivr.to/payloads?id=28178b12-766d-44d5-8654-d372a94ff961"
7 - "https://delivr.to/payloads?id=3dce858d-7be3-412e-85d9-84f3b9845275"
8 - "https://delivr.to/payloads?id=a0a38332-21b6-4394-b901-3697008e3440"
9 - "https://delivr.to/payloads?id=e30f12f2-de69-4e86-8b14-3c9b4e466bea"
10 - "https://delivr.to/payloads?id=9e1b64c8-748d-44f3-aaeb-3efbce9f84e3"
11 - "https://delivr.to/payloads?id=802a25c6-4a3d-468b-81d5-fc7313efd878"
12
13type: "rule"
14severity: "high"
15source: |
16 type.inbound
17 and any(attachments,
18 (
19 (
20 .file_extension in~ ("svg", "svgz")
21 or .content_type in~ ("image/svg+xml")
22 or .file_type == "svg"
23 )
24 and (
25 strings.ilike(file.parse_text(.,
26 encodings=[
27 "ascii",
28 "utf8",
29 "utf16-le"
30 ]
31 ).text,
32 "*onload*",
33 "*window.location.href*",
34 "*onerror*",
35 "*CDATA*",
36 "*<script*",
37 "*</script*",
38 "*atob*",
39 "*location.assign*",
40 "*decodeURIComponent*"
41 )
42 or regex.icontains(file.parse_text(.,
43 encodings=[
44 "ascii",
45 "utf8",
46 "utf16-le"
47 ]
48 ).text,
49 '<iframe[^\>]+src\s*=\s*\"data:[^\;]+;base64,'
50 )
51 or any(beta.scan_base64(file.parse_text(.).text,
52 encodings=["ascii", "utf8", "utf16-le"]
53 ),
54 strings.ilike(.,
55 "*onload*",
56 "*window.location.href*",
57 "*onerror*",
58 "*CDATA*",
59 "*<script*",
60 "*</script*",
61 "*atob*",
62 "*location.assign*",
63 "*decodeURIComponent*"
64 )
65 )
66 )
67 )
68 or (
69 (
70 .file_extension in $file_extensions_common_archives
71 or .file_type == "gz"
72 or .content_type == "application/x-gzip"
73 )
74 and any(file.explode(.),
75 (
76 .file_extension in~ ("svg", "svgz")
77 or .flavors.mime == "image/svg+xml"
78 )
79 and any(.scan.strings.strings,
80 strings.ilike(.,
81 "*onload*",
82 "*window.location.href*",
83 "*onerror*",
84 "*CDATA*",
85 "*<script*",
86 "*</script*",
87 "*atob*",
88 "*location.assign*",
89 "*decodeURIComponent*"
90 )
91 )
92 )
93 )
94 )
95attack_types:
96 - "Malware/Ransomware"
97tactics_and_techniques:
98 - "Scripting"
99detection_methods:
100 - "Archive analysis"
101 - "File analysis"
102 - "Sender analysis"
103 - "XML analysis"
104id: "f70293bc-b6da-5dbd-8756-e3ca282aba35"