A Korean analysis attributes a malicious Word document named like a personal-information/resume form to Kimsuky, describing a VBA macro that runs only after macros are enabled. The macro uses obfuscated string replacement and Shell.Application to launch PowerShell, download and execute a remote script from mvix.xn--oi2b61z32a.xn--3e0b707e, and spawn Windows processes such as svchost and wmiprvse. The source lists hashes for the document and representative network indicators including 145.14.144.206, 145.14.145.122, 145.14.145.245, and URLs under /ej/li.txt, /ej/li.rong, and /ej/index.php?filename=li. The report is relevant to DPRK tracking because it documents Kimsuky tradecraft using a Korean-language lure document, macro obfuscation, and remote PowerShell payload retrieval.