Semara Incorporated semarainc
semarainc
/ olecheck.py
Created
February 3, 2026 09:28
— forked from decalage2/olecheck.py
olecheck - a simple script to identify potential CVE-2026-21509 samples
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # script to scan MS Office files, looking for "Shell.Explorer" OLE objects which could match CVE-2026-21509 | |
| # using oletools - https://github.com/decalage2/oletools | |
| # Philippe Lagadec 2026-01-28 | |
| # NOTES: | |
| # According to the MS advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509 | |
| # the CVE-2026-21509 vulnerability is related to CLSID "EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B", | |
| # corresponding to the "Shell.Explorer" COM object, which can be used to open the legacy | |
| # Internet Explorer engine (aka Trident/MSHTML) from any application. | |
| # So to exploit CVE2026-21509 from a MS Office document, one could use either an OLE object |