APT37 is linked to a large malicious LNK file disguised as lecture material for people connected to North Korea issues. The shortcut contains embedded PDF, BAT, and DAT data and uses PowerShell to locate the LNK, extract a PDF, write vivo.dat, oppo.dat, and huawei.bat into the temporary directory, execute the batch file, and delete the original shortcut. The follow-on script runs hidden 32-bit PowerShell, reads oppo.dat as a script block, XOR-decodes vivo.dat with the key h, allocates executable memory, changes memory protection, and starts the decoded payload through kernel32 APIs. The source provides hashes including SHA-256 d9e3eba6067eec0aa32214b2a9811f4b579b66b34fe4e5bff4d754102dffdb91, making the sample useful for detecting LNK-based APT37 delivery and in-memory payload execution.