Affected tool:
rtfobj

Describe the bug
At Line 695 of rtfobj, there is a comparison of obj.class_name.lower() == b'package', which will incorrectly miss situations in which the class name has a trailing null, e.g. b'package\0'.

Proposal is to change comparison from above to:
obj.class_name.lower().rstrip('\0') == b'package'

File/Malware sample to reproduce the bug
Malware MD5 hash is bfad291d000b56ddd8a331d7283685b2, which is posted to ANY.APP.RUN

How To Reproduce the bug
N/A

Expected behavior
Identification of the embedded package named 1.a, such that output for running rtfobj -r includes:

0  |000CFCD9h |format_id: 2 (Embedded)
   |          |class name: 'Package\x00'
   |          |data size: 900221
   |          |OLE Package object:
   |          |Filename: u'1.a'
   |          |Source path: u'C:\\Users\\user\\Desktop\\1.a'
   |          |Temp path = u'C:\\Users\\user\\AppData\\Local\\Temp\\1.a'
   |          |MD5 = '1514b906582b0ea15c2c99193b30e0b0'

Console output / Screenshots
N/A

Version information:

• OS: Windows
• OS version: 10 - 64 bits
• Python version: 2.7.15 - 64-bits
• oletools version: 0.54

Additional context
N/A