ASEC observed a malicious Korean HWP document themed around drone and unmanned-aerial-vehicle status information. When opened, the document runs embedded malicious EPS content that abuses CVE-2017-8291 to decode and execute shellcode, checks for AhnLab V3-related processes, and establishes persistence through a scheduled task named OneDrive. The task runs mshta every three minutes to retrieve an HTA payload from www.boaz[.]kr/skin/member/log/pre[.]hta. The source also provides hashes and AhnLab detections for the HWP exploit and downloader chain, making the report useful for tracking HWP/EPS lure delivery and scheduled-task based follow-on execution.