Wezard4u analyzed a Kimsuky-themed malicious Word document disguised as a Korean divorce-related form. The Korean post says the document uses an AutoOpen VBA macro to write and execute a VBScript under the user’s Microsoft Templates directory, which downloads and executes additional code from a Google Drive URL. The sample is tracked with hashes including SHA-256 ea451e5c064f79f66433d2311e90b965d1ee26cabc411f633d826cdb6920b83e and was detected by multiple antivirus engines as macro/downloader malware. The author frames the activity as likely tied to a North Korea-linked reconnaissance group and notes Kimsuky’s broader targeting of South Korean think tanks, industry, nuclear-sector, defector, military, diplomatic, and government-related communities.