Detect weaponized RTF documents with OLE2Link exploit

Hunt Hypothesis

Weaponized RTF documents containing an OLE2Link exploit may indicate an adversary attempting to execute malicious code through document-based attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential initial compromise vectors used by adversaries.

YARA Rule

rule malrtf_ole2link : exploit
{
	meta:
		author = "@h3x2b <tracker _AT h3x.eu>"
		description = "Detect weaponized RTF documents with OLE2Link exploit"

	strings:
		//normal rtf beginning
		$rtf_format_00 = "{\\rtf1"
		//malformed rtf can have for example {\\rtA1
		$rtf_format_01 = "{\\rt"

		//having objdata structure
		$rtf_olelink_01 = "\\objdata" nocase

		//hex encoded OLE2Link
		$rtf_olelink_02 = "4f4c45324c696e6b" nocase

		//hex encoded docfile magic - doc file albilae
		$rtf_olelink_03 = "d0cf11e0a1b11ae1" nocase

		//hex encoded "http://"
		$rtf_payload_01 = "68007400740070003a002f002f00" nocase

		//hex encoded "https://"
		$rtf_payload_02 = "680074007400700073003a002f002f00" nocase

		//hex encoded "ftp://"
		$rtf_payload_03 = "6600740070003a002f002f00" nocase


	condition:
		//new_file and
		any of ($rtf_format_*)
		and all of ($rtf_olelink_*)
		and any of ($rtf_payload_*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator uses Microsoft Word to generate a .rtf document with embedded OLE2Link for internal documentation purposes.
  Filter/Exclusion: Exclude documents created by Microsoft Word or with the “Microsoft Office” process name.

• Scenario: A scheduled job runs a PowerShell script that generates .rtf files with OLE2Link for automated report generation.
  Filter/Exclusion: Exclude files created by PowerShell scripts or processes with “powershell.exe” in the command line.

• Scenario: A third-party tool like LibreOffice is used to create .rtf files with embedded OLE2Link for compatibility with legacy systems.
  Filter/Exclusion: Exclude files generated by LibreOffice or OpenOffice processes.

• Scenario: An IT support tool like PDQ Deploy or Chocolatey creates .rtf files as part of a deployment package that includes OLE2Link for internal use.
  Filter/Exclusion: Exclude files created by PDQ Deploy, Chocolatey, or other known IT deployment tools.

• Scenario: A system update or patching tool generates .rtf files with OLE2Link as part of a configuration file for system settings.
  Filter/Exclusion: Exclude files created by WSUS, SCCM, or Patch Management Tools.