{ "Event": { "analysis": "2", "date": "2017-01-25", "extends_uuid": "", "info": "OSINT - Malicious SVG Files in the Wild", "publish_timestamp": "1485354954", "published": true, "threat_level_id": "3", "timestamp": "1485354940", "uuid": "588867a4-c470-4914-b854-d3f6950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#0b8c00", "name": "misp-galaxy:tool=\"Snifula\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1485335668", "to_ids": false, "type": "text", "uuid": "58886c74-6c08-4ab2-8c2b-f8df950d210f", "value": "In November 2016, the Facebook messenger application was used to deliver malicious SVG files to people [1]. SVG files (or \"Scalable Vector Graphics\") are vector images that can be displayed in most modern browsers (natively or via a specific plugin). More precisely, Internet Explorer 9 supports the basic SVG feature sets and IE10 extended the support by adding SVG 1.1 support. In the Microsoft Windows operating system, SVG files are handled by Internet Explorer by default." }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1485335781", "to_ids": false, "type": "link", "uuid": "58886ccc-507c-4c7e-87b0-5b46950d210f", "value": "https://isc.sans.edu/forums/diary/Malicious+SVG+Files+in+the+Wild/21971/", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" }, { "colour": "#075200", "name": "admiralty-scale:source-reliability=\"b\"" } ] }, { "category": "Payload delivery", "comment": "00967999543-(02).svg", "deleted": false, "disable_correlation": false, "timestamp": "1485335823", "to_ids": true, "type": "md5", "uuid": "58886d0f-7a80-4188-9ca9-2fc5950d210f", "value": "6b9649531f35c7de78735aa45d25d1a7" }, { "category": "Payload delivery", "comment": "P0039988439992_001.jpg.svg", "deleted": false, "disable_correlation": false, "timestamp": "1485335824", "to_ids": true, "type": "md5", "uuid": "58886d10-9ca4-452d-a1e1-2fc5950d210f", "value": "e2f7245d016c52fc9c56531e483e6cfb" }, { "category": "Network activity", "comment": "The second part is a classic obfuscated JavaScript that executes the following (de-obfuscated) code:", "deleted": false, "disable_correlation": false, "timestamp": "1485354408", "to_ids": true, "type": "url", "uuid": "58886d30-90dc-4a21-8d14-f8e5950d210f", "value": "http://juanpedroperez.com/fotos/photos/xfs_extension.exe", "Tag": [ { "colour": "#2d0048", "name": "adversary:infrastructure-status=\"compromised\"" } ] }, { "category": "Payload delivery", "comment": "P0039988439992_001.jpg.svg - Xchecked via VT: e2f7245d016c52fc9c56531e483e6cfb", "deleted": false, "disable_correlation": false, "timestamp": "1485354378", "to_ids": true, "type": "sha256", "uuid": "5888b58a-9d84-49d9-9465-4e3f02de0b81", "value": "7cd31c21f03d54f88de2d5ae715be416bfaa69b3230bdd93aba44c07963363df" }, { "category": "Payload delivery", "comment": "P0039988439992_001.jpg.svg - Xchecked via VT: e2f7245d016c52fc9c56531e483e6cfb", "deleted": false, "disable_correlation": false, "timestamp": "1485354379", "to_ids": true, "type": "sha1", "uuid": "5888b58b-0fc8-4aee-bc0f-430f02de0b81", "value": "caf8d6099ed95d223993f43a156b703220d1a1c3" }, { "category": "External analysis", "comment": "P0039988439992_001.jpg.svg - Xchecked via VT: e2f7245d016c52fc9c56531e483e6cfb", "deleted": false, "disable_correlation": false, "timestamp": "1485354379", "to_ids": false, "type": "link", "uuid": "5888b58b-879c-409a-8eaa-465b02de0b81", "value": "https://www.virustotal.com/file/7cd31c21f03d54f88de2d5ae715be416bfaa69b3230bdd93aba44c07963363df/analysis/1484747652/" }, { "category": "Payload delivery", "comment": "00967999543-(02).svg - Xchecked via VT: 6b9649531f35c7de78735aa45d25d1a7", "deleted": false, "disable_correlation": false, "timestamp": "1485354380", "to_ids": true, "type": "sha256", "uuid": "5888b58c-eb80-46a8-8853-46a402de0b81", "value": "4682a3ad2c6ae46a8eb1190936583ebc69644b206e2e9103071c4630f081b3f2" }, { "category": "Payload delivery", "comment": "00967999543-(02).svg - Xchecked via VT: 6b9649531f35c7de78735aa45d25d1a7", "deleted": false, "disable_correlation": false, "timestamp": "1485354381", "to_ids": true, "type": "sha1", "uuid": "5888b58d-c0c8-406b-b0d1-41ae02de0b81", "value": "5837a4d288ac9d0065143a88f4899283b4603eee" }, { "category": "External analysis", "comment": "00967999543-(02).svg - Xchecked via VT: 6b9649531f35c7de78735aa45d25d1a7", "deleted": false, "disable_correlation": false, "timestamp": "1485354382", "to_ids": false, "type": "link", "uuid": "5888b58e-0508-4f80-a64e-486102de0b81", "value": "https://www.virustotal.com/file/4682a3ad2c6ae46a8eb1190936583ebc69644b206e2e9103071c4630f081b3f2/analysis/1485160514/" } ] } }