ASEC reporting describes a malicious HWP document containing EPS/PostScript content that executes shellcode and CMD commands. The lure appears to abuse a legitimate origin self-check form from a government legal-information source, while related activity used COVID-themed Excel lures. The embedded script behavior overlaps with a previously observed malicious Excel document, indicating reuse of delivery and execution tradecraft. Defenders should monitor for HWP/EPS exploitation chains, suspicious CMD execution from document processes, and follow-on payload retrieval.