A Korean malware-analysis post attributes a malicious Word document named Questionnaire.doc to BlueNoroff, described as part of North Korea’s Lazarus-linked cybercrime activity targeting North Korea-related personnel. The lure discusses Kim Ju-ae succession questions and recent North Korean nuclear and missile issues, then asks the user to enable macros. The VBA launches mspaint.exe, allocates memory in that process, writes shellcode, and starts a remote thread before deleting macro modules to hinder analysis. The post lists hashes for the document and reports network indicators including docx1.b4a[.]app/download.html and TCP connections to 3.222.42[.]202:443 and 52.7.66[.]68:443.