VirusTotal Code Insight keeps adding new file formats. This time, we’re looking at two vector-based formats from very different eras: SWF and SVG. Curiously, right after we rolled out this update in production, one of the very first submitted files gave us a perfect, and unexpected, example of Code Insight in action: it uncovered an undetected malware campaign using SVG files that impersonated the Colombian justice system.
Audio version of this post, created with NotebookLM Deep Dive
SWF: a blast from the past
Flash is dead, Adobe killed it in 2020 and browsers stopped supporting it shortly after. But surprisingly, SWF files still show up on VirusTotal. Whether it’s old malware resurging, retro hunting, or long-tail campaigns, they haven’t disappeared completely.
In fact, VirusTotal received 47,812 unique SWF files in the last 30 days that had never been seen before, and 466 of them were flagged as malicious by at least one antivirus engine.
SWF files are binary and compiled. That means Code Insight needs to:
- Unpack and decompress the container (often zlib or LZMA)
- Parse the internal tag structure
- Extract embedded scripts, either ActionScript 2 (AVM1) or ActionScript 3 (AVM2 bytecode + decompiling/disassembling)
Once we lift those scripts into something closer to pseudocode or readable disassembly, the LLM steps in to summarize what the file is doing and why it might be suspicious.
SVG: modern, open, and still abusable
SVGs, on the other hand, are very much alive. It’s a standard web format, open, text-based, and everywhere: websites, design tools, build systems. And that’s also why attackers like it.
In the last 30 days alone, VirusTotal received 140,803 unique SVG files that had never been seen before, and 1,442 of them were flagged as malicious by at least one antivirus engine. That’s roughly 1% showing up with detections, just like SWF curiously.
SVG is just XML with <svg> at the root. If it’s a .svgz, we decompress it first. From there, Code Insight looks for:
- Embedded JavaScript in <script> tags or event handlers (onload, onclick
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from VirusTotal BlogRead the original article: