High Severity

Attachment: SVG file execution

Labels

Malware/Ransomware

Scripting

Archive analysis

Content analysis

File analysis

Description

Detects file execution attempts in SVG files. ActiveXObject is used to invoke WScript.Shell and run a program.

References

https://delivr.to/payloads?id=511ae995-5401-4c60-ae50-08a5b12b3f4b

Sublime Security

Created Aug 17th, 2023 • Last updated Aug 8th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        (
          .file_extension =~ "svg"
          or .file_extension in $file_extensions_common_archives
          or .file_type == "svg"
        )
        and any(file.explode(.),
                .file_extension == "svg"
                // Author Matt harr0ey @harr0ey
                // Topic: SVG file Execution
                // WScript inside SVG
                // <script language="JScript">
                // <![CDATA[
                // var r = new ActiveXObject("WScript.Shell").Run("calc.exe")
                // ]]>
                // </script>
                and any(.scan.strings.strings,
                        strings.icontains(., "ActiveXObject")
                )
                and any(.scan.strings.strings,
                        strings.icontains(., "WScript.Shell")
                )
                and any(.scan.strings.strings,
                        strings.like(., "*Run*", "*Execute*")
                )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.