Attachment: Embedded Javascript in SVG file
Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
Sublime rule (View on GitHub)
1name: "Attachment: Embedded Javascript in SVG file"
2description: |
3 Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
4references:
5 - "https://delivr.to/payloads?id=511ae995-5401-4c60-ae50-08a5b12b3f4b"
6 - "https://delivr.to/payloads?id=28178b12-766d-44d5-8654-d372a94ff961"
7 - "https://delivr.to/payloads?id=3dce858d-7be3-412e-85d9-84f3b9845275"
8 - "https://delivr.to/payloads?id=a0a38332-21b6-4394-b901-3697008e3440"
9 - "https://delivr.to/payloads?id=e30f12f2-de69-4e86-8b14-3c9b4e466bea"
10 - "https://delivr.to/payloads?id=9e1b64c8-748d-44f3-aaeb-3efbce9f84e3"
11 - "https://delivr.to/payloads?id=802a25c6-4a3d-468b-81d5-fc7313efd878"
12
13type: "rule"
14severity: "high"
15source: |
16 type.inbound
17 and any(attachments,
18 (
19 .file_extension in~ ("svg", "svgz")
20 and (
21 strings.ilike(file.parse_text(.,
22 encodings=[
23 "ascii",
24 "utf8",
25 "utf16-le"
26 ]
27 ).text,
28 "*onload*",
29 "*window.location.href*",
30 "*onerror*",
31 "*CDATA*",
32 "*<script*",
33 "*</script*",
34 "*atob*",
35 "*location.assign*",
36 "*decodeURIComponent*"
37 )
38 or regex.icontains(file.parse_text(.,
39 encodings=[
40 "ascii",
41 "utf8",
42 "utf16-le"
43 ]
44 ).text,
45 '<iframe[^\>]+src\s*=\s*\"data:[^\;]+;base64,'
46 )
47 or any(beta.scan_base64(file.parse_text(.).text,
48 encodings=["ascii", "utf8", "utf16-le"]
49 ),
50 strings.ilike(.,
51 "*onload*",
52 "*window.location.href*",
53 "*onerror*",
54 "*CDATA*",
55 "*<script*",
56 "*</script*",
57 "*atob*",
58
59 "*location.assign*",
60 "*decodeURIComponent*"
61 )
62 )
63 )
64 )
65 or (
66 (
67 .file_extension in $file_extensions_common_archives
68 or .file_type == "gz"
69 or .content_type == "application/x-gzip"
70 )
71 and any(file.explode(.),
72 (
73 .file_extension in~ ("svg", "svgz")
74 or .flavors.mime == "image/svg+xml"
75 )
76 and any(.scan.strings.strings,
77 strings.ilike(.,
78 "*onload*",
79 "*window.location.href*",
80 "*onerror*",
81 "*CDATA*",
82 "*<script*",
83 "*</script*",
84 "*atob*",
85 "*location.assign*",
86 "*decodeURIComponent*"
87 )
88 )
89 )
90 )
91 )
92
93attack_types:
94 - "Malware/Ransomware"
95tactics_and_techniques:
96 - "Scripting"
97detection_methods:
98 - "Archive analysis"
99 - "File analysis"
100 - "Sender analysis"
101 - "XML analysis"
102id: "f70293bc-b6da-5dbd-8756-e3ca282aba35"