AhnLab reports malicious Word documents using North Korea-related lure content and external XML links, likely distributed by email to recipients working on DPRK-related issues. The documents connected to external URLs to download additional malicious Word macro files; examples included documents titled as questionnaires, work reports and North Korean party congress assessments, with infrastructure such as inonix.co.kr, koreacit.co.kr, anpcb.co.kr and reform-ouen.com paths. Recovered macro documents used obfuscated VBA to create and execute XML from the user’s Microsoft Templates directory, then attempted additional malicious network connections that were likely intended to download and run further payloads. AhnLab detected the files as Downloader/DOC.External, Downloader/XML.Generic and related downloader families.