See https://twitter.com/justadrawer2/status/1256437895348420608
RTF dropping Agent Tesla, using obfuscation that breaks rtfobj. Looks like depending on placement "\rt" and "\rtf" can act both as a normal control word and destination control word.
Sample:
https://app.any.run/tasks/1c455b64-7b1a-4a70-8418-2b26a92f1485/
https://app.any.run/tasks/1cb250d0-0dc6-4f5f-8554-42da7f9b277f/
This is related to issue #522
See https://twitter.com/justadrawer2/status/1256437895348420608
RTF dropping Agent Tesla, using obfuscation that breaks rtfobj. Looks like depending on placement "\rt" and "\rtf" can act both as a normal control word and destination control word.
Sample:
https://app.any.run/tasks/1c455b64-7b1a-4a70-8418-2b26a92f1485/
https://app.any.run/tasks/1cb250d0-0dc6-4f5f-8554-42da7f9b277f/
This is related to issue #522