Hello all, long time no see!. I’m back with another malware analysis tutorial. In this post, we will examine how threat actors are abusing an SVG file for malicious purposes.

Scalable Vector Graphics (SVG) is an image format that uses XML to define vector graphics. They can be scaled without any loss in quality.

Let’s start with our analysis,

A normal SVG, when opened in Notepad++, is shown below.

sample svg in npp

As you can see, it is in XML format with height, width, viewbox, etc.

The following, when rendered in the browser, looks similar to an image.

sample svg in browser

Now let’s inspect our malicious SVG,

malicious svg in npp

This one also follows XML format, but when rendered in the browser, it redirects to a website,

malicious svg in browser

Pssss: Website was unreachable at that time!

If you had compared a malicious SVG with a normal SVG, you could identify that it contains an iframe with base64 encoding.

iframe and base64 identified

The decoded base64 contains HTML data with JavaScript content as the major.

decoded base64

Let’s decode this JavaScript for better clarity,

execution of code 1

A variable vart45x41 is being defined with some string. That is later passed to a function called varu63gup.

At the first pointer, the string is being split, reversed, and joined.

Cyberchef could decode this as below,

decoding of code 1

At the second pointer, the resultant string is being replaced with a regex.

execution of code 2

Cyberchef equivalent for this will be,

decoding of code 2

At the third pointer, the string will be split, mapped from charcode, and joined again.

execution of code 3

We directly use the browser dev tools for executing this code,

decoding of code 3

It returned a website address to which the SVG will redirect.

At last, this piece of code will set the URL of the current page. i.e., redirects to a malicious URL.

execution of code 4

The hash of SVG on Virustotal contains 4 hits at the time of writing this article.

virustotal result

It is always better to use a reputable adblocker like uBlock Origin or use PiHole with adequate blocklists configured for blocking malicious URLs. No matter what level of antivirus is being installed on the system, surely they cannot protect the end users from the browser-level exploitation, just like phishing.

Thank you for being up to here. We meet next time, dissecting another sample or coming up with an evasion technique, until then Пока-пока.