After reading the FireEye blog on CVE-2017-8759 we decided to quickly write a signature for the new (though not yet widely used, and now patched) zero day. We decided to use QuickSand.io , naturally. First we searched for the FireEye reported hash fe5c4d6bb78e170abf5cf3741868ea4c in QuickSand.io. The first hex block looks interesting: Clicking the sha256 link brings up the hex view, it's a OLE document embedded in the RTF. We can see a wsdl link and the highlighted hex turns out to be part of the class id, rendered as c7b0abec-197f-d211-978e-0000f8757e2a . Reversing the first three block's byte order comes out to the SoapMoniker class ID ECABB0C7-7F19-11D2-978E-0000F8757E2A This handy list reveals the SoapMoniker class: After some testing, we pushed out a CVE-2017-8759 signature to QuickSand.io and the free open source version .