rule SUSP_RTF_with_potential_CVE_2026_21509_exploit { meta: description = "Detects RTF files containing a Shell.Explorer.1 OLE object, possibly an exploit for CVE-2026-21509" author = "Philippe Lagadec" reference = "https://decalage.info/CVE-2026-21509/" version = "1.3" date = "2026-02-03" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" // samples: https://bazaar.abuse.ch/browse/tag/CVE-2026-21509/ yarahub_uuid = "3d34f6f4-ca26-495a-944e-e8a7333d79e6" yarahub_license = "CC BY-SA 4.0" yarahub_rule_matching_tlp = "TLP:WHITE" yarahub_rule_sharing_tlp = "TLP:WHITE" yarahub_reference_md5 = "7c396677848776f9824ebe408bbba943" strings: // RTF file signature $rtf_header = "{\\rt" // OLE object data $ole_object = "\\objdata" // This regex matches the Shell.Explorer CLSID hex-encoded with any amount of whitespace between characters $clsid = /C\s*3\s*2\s*A\s*B\s*2\s*E\s*A\s*C\s*1\s*3\s*0\s*C\s*F\s*1\s*1\s*A\s*7\s*E\s*B\s*0\s*0\s*0\s*0\s*C\s*0\s*5\s*B\s*A\s*E\s*0\s*B/ nocase condition: // File must start with RTF header $rtf_header at 0 and // and contain an OLE object $ole_object and // And contain the CLSID string $clsid }