During an incident response on a malicious MS Office document, SEKOIA CERT got access to the payload itself and also the dropper which was presented interesting features. The document was designed to exploit the vulnerability CVE-2015-1641 in order to drop and execute a ransomware called Troldesh. This article explains how we analysed the exploit and the trick used by the author to avoid being det