Attachment: Embedded Javascript in SVG file (unsolicited)
Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
Sublime rule (View on GitHub)
1name: "Attachment: Embedded Javascript in SVG file (unsolicited)"
2description: |
3 Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
4references:
5 - "https://delivr.to/payloads?id=511ae995-5401-4c60-ae50-08a5b12b3f4b"
6 - "https://delivr.to/payloads?id=28178b12-766d-44d5-8654-d372a94ff961"
7 - "https://delivr.to/payloads?id=3dce858d-7be3-412e-85d9-84f3b9845275"
8 - "https://delivr.to/payloads?id=a0a38332-21b6-4394-b901-3697008e3440"
9type: "rule"
10severity: "medium"
11source: |
12 type.inbound
13 and any(attachments,
14 (
15 .file_extension =~ "svg"
16 or .file_extension in $file_extensions_common_archives
17 )
18 and strings.ilike(file.parse_text(.).text,
19 "*onload*",
20 "*window.location.href*",
21 "*onerror*",
22 "*CDATA*",
23 "*<script>*",
24 "*</script>*"
25 )
26 )
27 and (
28 not profile.by_sender().solicited
29 or (
30 profile.by_sender().any_messages_malicious_or_spam
31 and not profile.by_sender().any_false_positives
32 )
33 )
34attack_types:
35 - "Malware/Ransomware"
36tactics_and_techniques:
37 - "Scripting"
38detection_methods:
39 - "Archive analysis"
40 - "File analysis"
41 - "Sender analysis"
42 - "XML analysis"
43id: "f70293bc-b6da-5dbd-8756-e3ca282aba35"