AhnLab analyzes a malicious Word document disguised as a CNA news questionnaire and related to earlier North Korea-themed Word lures. The password-protected document contains obfuscated VBA macros that create and execute VBScript, BAT, LNK, and PowerShell components under AppData. The downloaded scripts collect system and directory information, exfiltrate it to attacker infrastructure, and add FTP-based theft of Chrome and Edge user-data files. The infection chain also retains prior functions such as LNK creation, Office security setting changes, and keylogging.