drop rtf file · parse rtf control words and groups · extract document metadata · detect suspicious control sequences · surface embedded objects ole content and obfuscated payloads · runs locally
rtf
drop rtf files
or click
tokenizer + \\objdata hex → OLE · Equation.3 CVE flag · obfuscation heuristics
drop .rtf files