
Recently I came across with a macro malware that uses a technique quite new to me. If macro is enabled, macro script does the following:
Save the Doc file as RTF file, 300.rtf and 301.rtf
Open the 300.rtf file with an embedded PE file
Then execute the PE file
Lets start analyzing the file and see how it successfully used the above trick.
Upon inspecting the file in Hiew...