Another malware campaign using malformed RTF files involving Microsoft Office Equation Editor exploits to extract or drop a zip file from an embedded ole object containing the payload and an “innocent” lure doc to be displayed. Today it looks like CVE-2017-8570. The payload is Azorult. This is quite an involved, devious chain of delivery which after opening the word doc ( RTF) attachment to the email it very quickly partially opens & then immediately closes and extracts the contents of a zip containing a Fake Word doc & the malware payload. It then displays the fake word doc in place … Continue reading →