AhnLab ASEC reports distribution of a malicious HWP document disguised as a North Korea-related questionnaire, likely modified from a real December 2020 broadcast discussion document. The file used an embedded link object and editing restrictions to hide object properties, with path artifacts suggesting creation on a system named Snow. When opened from the expected AppData path and clicked, the document launched a BAT-to-VBS chain through TroubleShooter.bat, Diagnostics.bat and HncConfig.ini. The final script attempted to fetch and execute content from yegip[.]kr/se2/photo_uploader/plugin/update/list.php?query=0, and AhnLab classified related components as HWP dropper, BAT runner and VBS downloader malware.