ASEC analyzed a malicious Word document disguised as an export gold-bar sales contract and noted links to Kimsuky-related APT activity through the same document-protection password, 1qaz2wsx, used in earlier North Korea-themed malicious Word files. When the embedded macro runs, it removes the protected cover content and creates an XML file under the user’s Microsoft Templates path that is executed with wscript.exe. The document attempts to reach hxxp://regedit.onlinewebshop[.]net/hosteste/rownload/list.php?query=1 for follow-on activity, although the network endpoint was inactive at analysis time, and AhnLab detects the file as Downloader/DOC malware.