A Korean analysis examines a suspected Kimsuky-linked Excel malware sample disguised as a bonus calculation spreadsheet. The workbook uses macros to read a download URL from Sheet1 cell A10001, escape command characters, and invoke curl through cmd.exe to save fileDownloader.exe in the user's TEMP directory. The macro code references Windows registry APIs and a download path on 106.249.253.146:12582, with hashes provided for the spreadsheet sample. The lure contains payroll and benefit fields, suggesting a Korean administrative or workplace theme, while the author notes North Korean operators target civilians, companies, and North Korea-related personnel without narrowing the victim set further.