THE SANS ISC diary explains how ZIP files can be embedded inside an RTF document, using OLE objects that can be analysed with oledump[.]py. It notes that options --storages and -E %CLSID% reveal the abused CLSID, and that the Stream CONTENTS can contain the URL, which was extracted using the method from a previous diary entry. The post also points out that the OLE object includes a .docx file, which is itself a ZIP container, and can be inspected with zipdump[.]py to uncover its contents.
A key detail is the ZIP file’s magic number, 50 4B 03 04, used to locate embedded ZIPs within the RTF; search results can then be used to extract URLs. This guidance was published on 2 March 2026 and is attributed to Didier Stevens. according to Didier Stevens.