rule SUSP_RTF_with_potential_CVE_2026_21509_exploit_nows { meta: description = "Detects RTF files containing a Shell.Explorer.1 OLE object, possibly an exploit for CVE-2026-21509" author = "Philippe Lagadec" reference = "https://decalage.info/CVE-2026-21509/" version = "1.3" date = "2026-02-03" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" // samples: https://bazaar.abuse.ch/browse/tag/CVE-2026-21509/ yarahub_uuid = "f8a081ff-830c-4f30-8bad-168d2a582324" yarahub_license = "CC BY-SA 4.0" yarahub_rule_matching_tlp = "TLP:WHITE" yarahub_rule_sharing_tlp = "TLP:WHITE" yarahub_reference_md5 = "7c396677848776f9824ebe408bbba943" strings: // RTF file signature $rtf_header = "{\\rt" // OLE object data $ole_object = "\\objdata" // This regex matches the Shell.Explorer CLSID hex-encoded without whitespace // (which is faster than the whitespace version, but can miss some detections) $clsid = "C32AB2EAC130CF11A7EB0000C05BAE0B" nocase condition: // File must start with RTF header $rtf_header at 0 and // and contain an OLE object $ole_object and // And contain the CLSID string $clsid }