← Back to Explore
sublimehighRule
Attachment: Embedded Javascript in SVG file
Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
Detection Query
type.inbound
and any(attachments,
(
(
.file_extension in~ ("svg", "svgz")
or .content_type in~ ("image/svg+xml")
or .file_type == "svg"
)
and (
strings.ilike(file.parse_text(.,
encodings=[
"ascii",
"utf8",
"utf16-le"
]
).text,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
"*location.assign*",
"*decodeURIComponent*"
)
or regex.icontains(file.parse_text(.,
encodings=[
"ascii",
"utf8",
"utf16-le"
]
).text,
'<iframe[^\>]+src\s*=\s*\"data:[^\;]+;base64,'
)
or any(beta.scan_base64(file.parse_text(.).text,
encodings=["ascii", "utf8", "utf16-le"]
),
strings.ilike(.,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
"*location.assign*",
"*decodeURIComponent*"
)
)
)
)
or (
(
.file_extension in $file_extensions_common_archives
or .file_type == "gz"
or .content_type == "application/x-gzip"
)
and any(file.explode(.),
(
.file_extension in~ ("svg", "svgz")
or .flavors.mime == "image/svg+xml"
)
and any(.scan.strings.strings,
strings.ilike(.,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
"*location.assign*",
"*decodeURIComponent*"
)
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
- https://delivr.to/payloads?id=511ae995-5401-4c60-ae50-08a5b12b3f4b
- https://delivr.to/payloads?id=28178b12-766d-44d5-8654-d372a94ff961
- https://delivr.to/payloads?id=3dce858d-7be3-412e-85d9-84f3b9845275
- https://delivr.to/payloads?id=a0a38332-21b6-4394-b901-3697008e3440
- https://delivr.to/payloads?id=e30f12f2-de69-4e86-8b14-3c9b4e466bea
- https://delivr.to/payloads?id=9e1b64c8-748d-44f3-aaeb-3efbce9f84e3
- https://delivr.to/payloads?id=802a25c6-4a3d-468b-81d5-fc7313efd878
Raw Content
name: "Attachment: Embedded Javascript in SVG file"
description: |
Javascript inside SVG files can be used to smuggle malicious payloads or execute scripts.
references:
- "https://delivr.to/payloads?id=511ae995-5401-4c60-ae50-08a5b12b3f4b"
- "https://delivr.to/payloads?id=28178b12-766d-44d5-8654-d372a94ff961"
- "https://delivr.to/payloads?id=3dce858d-7be3-412e-85d9-84f3b9845275"
- "https://delivr.to/payloads?id=a0a38332-21b6-4394-b901-3697008e3440"
- "https://delivr.to/payloads?id=e30f12f2-de69-4e86-8b14-3c9b4e466bea"
- "https://delivr.to/payloads?id=9e1b64c8-748d-44f3-aaeb-3efbce9f84e3"
- "https://delivr.to/payloads?id=802a25c6-4a3d-468b-81d5-fc7313efd878"
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
(
(
.file_extension in~ ("svg", "svgz")
or .content_type in~ ("image/svg+xml")
or .file_type == "svg"
)
and (
strings.ilike(file.parse_text(.,
encodings=[
"ascii",
"utf8",
"utf16-le"
]
).text,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
"*location.assign*",
"*decodeURIComponent*"
)
or regex.icontains(file.parse_text(.,
encodings=[
"ascii",
"utf8",
"utf16-le"
]
).text,
'<iframe[^\>]+src\s*=\s*\"data:[^\;]+;base64,'
)
or any(beta.scan_base64(file.parse_text(.).text,
encodings=["ascii", "utf8", "utf16-le"]
),
strings.ilike(.,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
"*location.assign*",
"*decodeURIComponent*"
)
)
)
)
or (
(
.file_extension in $file_extensions_common_archives
or .file_type == "gz"
or .content_type == "application/x-gzip"
)
and any(file.explode(.),
(
.file_extension in~ ("svg", "svgz")
or .flavors.mime == "image/svg+xml"
)
and any(.scan.strings.strings,
strings.ilike(.,
"*onload*",
"*window.location.href*",
"*onerror*",
"*CDATA*",
"*<script*",
"*</script*",
"*atob*",
"*location.assign*",
"*decodeURIComponent*"
)
)
)
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Scripting"
detection_methods:
- "Archive analysis"
- "File analysis"
- "Sender analysis"
- "XML analysis"
id: "f70293bc-b6da-5dbd-8756-e3ca282aba35"