Attachment: Embedded Javascript in SVG file (unsolicited)

Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.

Sublime rule (View on GitHub)

 1name: "Attachment: Embedded Javascript in SVG file (unsolicited)"
 2description: |
 3    Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
 4references:
 5  - "https://delivr.to/payloads?id=511ae995-5401-4c60-ae50-08a5b12b3f4b"
 6  - "https://delivr.to/payloads?id=28178b12-766d-44d5-8654-d372a94ff961"
 7  - "https://delivr.to/payloads?id=3dce858d-7be3-412e-85d9-84f3b9845275"
 8  - "https://delivr.to/payloads?id=a0a38332-21b6-4394-b901-3697008e3440"
 9type: "rule"
10severity: "medium"
11source: |
12  type.inbound
13  and any(attachments,
14          (
15            .file_extension =~ "svg"
16            or .file_extension in $file_extensions_common_archives
17          )
18          and strings.ilike(file.parse_text(.).text,
19                            "*onload*",
20                            "*window.location.href*",
21                            "*onerror*",
22                            "*CDATA*",
23                            "*<script>*",
24                            "*</script>*"
25          )
26  )
27  and (
28    not profile.by_sender().solicited
29    or (
30      profile.by_sender().any_messages_malicious_or_spam
31      and not profile.by_sender().any_false_positives
32    )
33  )  
34attack_types:
35  - "Malware/Ransomware"
36tactics_and_techniques:
37  - "Scripting"
38detection_methods:
39  - "Archive analysis"
40  - "File analysis"
41  - "Sender analysis"
42  - "XML analysis"
43id: "f70293bc-b6da-5dbd-8756-e3ca282aba35"
to-top