malwares.com analyzed malicious Hangul Word Processor documents that exploited a vulnerability rather than relying on macros, allowing code execution when the document was opened in affected HWP versions. The embedded BinData area contained shellcode obfuscated with XOR 0xD5, which attempted to download an additional payload with URLDownloadToFileA and execute it as wins.exe via WinExec. The primary sample used SHA-256 0D56C5F20B2DA3659F05D613D3FAEB41D9E82A45E9161C3B48805EBB7B2730B9 and tried to fetch http://crystalpowercleaning.com/wp-includes/images/wpindex.jpg, while similar samples referenced acddesigns.com.au and portmultimedia.com download paths. The additional payloads were no longer available during analysis, but the author warned that reuse of the same HWP vulnerability could have significant impact because the lure was a document file rather than an executable. The hosting sites appeared to be legitimate web services, and weak administrative access may have allowed attackers to upload the staged payloads.