diff --git a/oletools/oleid.py b/oletools/oleid.py
index 5370503..ec0e237 100644
--- a/oletools/oleid.py
+++ b/oletools/oleid.py
@@ -86,13 +86,13 @@ from os.path import dirname, abspath
 # little hack to allow absolute imports even if oletools is not installed
 # (required to run oletools directly as scripts in any directory).
 try:
-    from oletools.thirdparty import prettytable
+    from oletools.thirdparty.prettytable import prettytable
 except ImportError:
     PARENT_DIR = dirname(dirname(abspath(__file__)))
     if PARENT_DIR not in sys.path:
         sys.path.insert(0, PARENT_DIR)
     del PARENT_DIR
-    from oletools.thirdparty import prettytable
+    from oletools.thirdparty.prettytable import prettytable
 
 import olefile
 
diff --git a/oletools/rtfobj.py b/oletools/rtfobj.py
index 7179045..67af6dc 100644
--- a/oletools/rtfobj.py
+++ b/oletools/rtfobj.py
@@ -880,9 +880,16 @@ def process_file(container, filename, data, output_dir=None, save_object=False):
                 ole_column += '\nTemp path = %r' % rtfobj.temp_path
                 ole_color = 'yellow'
                 # check if the file extension is executable:
-                _, ext = os.path.splitext(rtfobj.filename)
-                log.debug('File extension: %r' % ext)
-                if re_executable_extensions.match(ext):
+
+                _, temp_ext = os.path.splitext(rtfobj.temp_path)
+                log.debug('Temp path extension: %r' % temp_ext)
+                _, file_ext = os.path.splitext(rtfobj.filename)
+                log.debug('File extension: %r' % file_ext)
+
+                if temp_ext != file_ext:
+                    ole_column += "\nMODIFIED FILE EXTENSION"
+
+                if re_executable_extensions.match(temp_ext) or re_executable_extensions.match(file_ext):
                     ole_color = 'red'
                     ole_column += '\nEXECUTABLE FILE'
             # else:
@@ -897,6 +904,11 @@ def process_file(container, filename, data, output_dir=None, save_object=False):
             if rtfobj.class_name == b'OLE2Link':
                 ole_color = 'red'
                 ole_column += '\nPossibly an exploit for the OLE2Link vulnerability (VU#921560, CVE-2017-0199)'
+            # Detect Equation Editor exploit
+            # https://www.kb.cert.org/vuls/id/421280/
+            elif rtfobj.class_name.lower() == b'equation.3':
+                ole_color = 'red'
+                ole_column += '\nPossibly an exploit for the Equation Editor vulnerability (VU#421280, CVE-2017-11882)'
         else:
             ole_column = 'Not a well-formed OLE object'
         tstream.write_row((