diff --git a/Malicious_Documents/malicious_document.yar b/Malicious_Documents/malicious_document.yar
index 4360771..b15fdb9 100644
--- a/Malicious_Documents/malicious_document.yar
+++ b/Malicious_Documents/malicious_document.yar
@@ -271,3 +271,22 @@ rule Embedded_EXE_Cloaking {
         and
         for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
 }
+
+rule RTF_Shellcode
+{
+meta:
+
+                author = "RSA-IR – Jared Greenhill"
+                date = "01/21/13"
+                description = "identifies RTF's with potential shellcode"
+                filetype = "RTF"
+
+
+
+strings:
+                $rtfmagic={7B 5C 72 74 66}
+                $scregex=/[39 30]{2,20}/
+condition:
+
+                ($rtfmagic at 0) and ($scregex)
+}