A Kimsuky-attributed Windows LNK sample masqueraded as a lecture-request document for a Hanyang University professor, suggesting a social-engineering attempt against South Korean academic or policy-focused contacts. The shortcut executed hidden PowerShell, searched for the crafted LNK by file size, extracted and ran an embedded executable, deleted the original shortcut, and displayed a decoy Word document named 123.docx. The script used hardcoded Dropbox OAuth credentials to obtain an access token, download /0603/ps.bin from Dropbox, decode it with a custom routine, and execute the decoded PowerShell content with Invoke-Expression. The excerpt provides file hashes and multiple antivirus detections, making the sample useful for endpoint hunting and tracking document-themed DPRK phishing tradecraft.