The first hex block looks interesting:
Clicking the sha256 link brings up the hex view, it’s a OLE document embedded in the RTF. We can see a wsdl link and the highlighted hex turns out to be part of the class id, rendered as c7b0abec-197f-d211-978e-0000f8757e2a. Reversing the first three block’s byte order comes out to the SoapMoniker class ID ECABB0C7-7F19-11D2-978E-0000F8757E2A
After some testing, we pushed out a CVE-2017-8759 signature to QuickSand.io and the free open source version.