I see a lot of malicious RTF files that are heavily obfuscated. Last, I received a sample that rtfobj or rtfdump could not handle properly to correctly identify OLE objects (“Not a well-formed OLE object”). But my rtfdump tool has an option that can help decode objects that are not well-formed. Let’s take a closer look.
Article Link: https://isc.sans.edu/diary/rss/23169