Uncovering a Colombian Malware Campaign with AI Code Analysis
VirusTotal Code Insight keeps adding new file formats. This time, we’re looking at two vector-based formats from very different eras: SWF and SVG. Curiously, right after we rolled out this update in production, one of the very first submitted files gave us a perfect, and unexpected, example of Code Insight in action: it uncovered an undetected malware campaign using SVG files that impersonated the Colombian justice system.
Audio version of this post, created with NotebookLM Deep Dive
Your browser does not support the audio element.
SWF: a blast from the past
Flash is dead, Adobe killed it in 2020 and browsers stopped supporting it shortly after. But surprisingly, SWF files still show up on VirusTotal. Whether it’s old malware resurging, retro hunting, or long-tail campaigns, they haven’t disappeared completely.
In fact, VirusTotal received 47,812 unique SWF files in the last 30 days that had never been seen before, and 466 of them were flagged as malicious by at least one antivirus engine.
SWF files are binary and compiled. That means Code Insight needs to:
- Unpack and decompress the container (often zlib or LZMA)
- Parse the internal tag structure
- Extract embedded scripts, either ActionScript 2 (AVM1) or ActionScript 3 (AVM2 bytecode + decompiling/disassembling)
Once we lift those scripts into something closer to pseudocode or readable disassembly, the LLM steps in to summarize what the file is doing and why it might be suspicious.
SVG: modern, open, and still abusable
SVGs, on the other hand, are very much alive. It’s a standard web format, open, text-based, and everywhere: websites, design tools, build systems. And that’s also why attackers like it.
In the last 30 days alone, VirusTotal received 140,803 unique SVG files that had never been seen before, and 1,442 of them were flagged as malicious by at least one antivirus engine. That’s roughly 1% showing up with detections, just like SWF curiously.
SVG is just XML with <svg> at the root. If it’s a .svgz, we decompress it first. From there, Code Insight looks for:
- Embedded JavaScript in <script> tags or event handlers (onload, onclick…)
- Redirects using javascript: URLs or location.href
- Obfuscation tricks (CDATA, character entities, base64 payloads, etc.)
Because SVG is plain text, the challenge isn’t unpacking, it’s spotting the malicious logic hiding in plain sight.
Let’s see a couple of examples:
When a SWF is flagged, but isn’t malicious
One common challenge in threat analysis is dealing with files that trigger detections in just a few antivirus engines. They’re not clean, but they’re not clearly malicious either. These gray areas force analysts to dig deeper, often wasting time chasing false positives.
The SWF file in the screenshot is a perfect example.
350422c3915a8a1a1336147f89061b25c8354af58db0050e2f9ef2b384e59f62
It was flagged by 3 out of 63 engines. Enough to raise doubts, but not conclusive. The detections mention known SWF heuristics and an old CVE.
Thanks to Code Insight, we can quickly understand what’s going on. It identifies the SWF as a complex ActionScript-based game, including 3D rendering, sound management, and a full level editor. The analysis also explains why the file might look suspicious: it uses obfuscated classes and cryptographic functions (like RC4 and AES), and gathers system details, techniques often associated with malware, but also common in Flash games to enforce DRM or prevent tampering.
The verdict? No malicious behavior was observed, and now we know why it looked suspicious in the first place.
This kind of context is exactly what Code Insight is designed for: saving time, reducing uncertainty, and helping you focus on real threats.
When AV misses, but Code Insight doesn’t
This second example shows the other side of the coin: a malicious SVG file that evaded all antivirus engines, going completely undetected on VirusTotal. On the surface, it looks clean, but a quick look with Code Insight tells a very different story.
1527ef7ac7f79bb1a61747652fd6015942a6c5b18b4d7ac0829dd39842ad735d
According to Code Insight: “This SVG file executes an embedded JavaScript payload upon rendering. The script decodes and injects a Base64-encoded HTML phishing page impersonating a Colombian government judicial system portal. To deceive the user, it simulates a file download with a progress bar, while in the background, it decodes a second, large Base64 string, which is a malicious ZIP archive, and forces its download.”
We validated this behavior by opening the sample in a controlled environment. As shown in the screenshots below, the fake portal is rendered exactly as described, simulating an official government document download process. The phishing site includes case numbers, security tokens, and visual cues to build trust, all of it crafted within an SVG file.
Despite its zero detections, this SVG hides two layers of abuse:
- A convincing phishing lure, injected via inline JavaScript and decoded on-the-fly
- A malware dropper, silently extracting and triggering the download of a ZIP file in the background
This is exactly the kind of threat Code Insight is meant to catch: well-crafted, script-based attacks that fly under the radar.
A deeper look: from one SVG to a full campaign
Curiously, the malicious SVG we highlighted earlier wasn’t just any random sample, it was one of the very first files submitted right after we deployed SVG support in Code Insight. A coincidence? Or were we seeing the tip of something bigger?
Thanks to VirusTotal Intelligence, we can search through our massive sample collection using hundreds of parameters, including queries that look inside Code Insight reports. So we ran:
type:svg AND codeinsight:”Colombian”
And voilà: 44 unique SVG files surfaced, all undetected by antivirus engines, but all flagged by Code Insight as part of the same phishing and malware campaign.
Diving into the source code of these SVGs, we found:
- Code obfuscation techniques
- Use of polymorphism, with slight changes in every file
- And large amounts of dummy (garbage) code to increase entropy and evade static detection.
But Code Insight had no problem cutting through the noise.
One thing stood out: the attackers left Spanish-language comments in their scripts, with phrases like “POLIFORMISMO_MASIVO_SEGURO” and “Funciones dummy MASIVAS”. While most of the code changed from sample to sample, those comments stayed exactly the same, a clear weakness, and a perfect signature for a simple YARA rule.
So we wrote a very basic one:
Running a retrohunt over the last year with this basic rule returned 523 matches.
Sorting by submission time, the first sample dates back to August 14, 2025, also submitted from Colombia, and also with 0 antivirus detections at the time.
We reanalyzed that first sample with the current version of Code Insight, and again, it produced an accurate description of the phishing page and malware dropper, impersonating the Colombian Fiscalía General de la Nación.
Looking deeper, we saw that the earliest samples were larger, around 25MB, and the size decreased over time, suggesting the attackers were evolving their payloads. Most importantly, the distribution vector was email, allowing us to pivot into delivery metadata: senders, subjects, attachment names, and more.
Final thoughts
SWF and SVG are very different formats from very different eras, but both can still cause headaches for analysts.
In the first case, Code Insight helped explain why a SWF file looked suspicious without actually being malicious. In the second, it uncovered malicious behavior in an SVG that had gone completely undetected.
This is where Code Insight helps most: giving context, saving time, and helping focus on what really matters. It’s not magic, and it won’t replace expert analysis, but it’s one more tool to cut through the noise and get to the point faster. And when Code Insight and VirusTotal Intelligence work together, one suspicious sample can become the key to revealing an entire campaign.
Read more: Uncovering a Colombian Malware Campaign with AI Code Analysis