As mentioned in diary entry “Increase In Phishing SVG Attachments“, I have a phishing SVG sample with heavily obfuscated JavaScript.

As I didn’t want to spend time doing static analysis, I did a quick dynamic analysis instead. TL;DR: I open the SVG file in a VM disconnected from the Internet, and use Edge’s developer tools to view the deobuscated URL.

First I make sure the VM is disconnected from the network:

Then I open the SVG file in Edge (Chrome works too):

I open the developer tools:

I switch to the Network tab:

And then I type a dummy password and click on the Download button:

I can then view the deobfuscated URL:

And also the payload:

 

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.