AhnLab describes malicious Word documents that used external template links as an upstream stage before downloading macro-enabled documents and a PE backdoor. The observed chain began with a Word file containing a malicious XML external relationship to kr9235.atwebpages[.]com, then downloaded an obfuscated macro document that retrieved cvwiq.zip and executed the extracted wieb.dat DLL through rundll32.exe. ASEC notes that similar atwebpages[.]com infrastructure and kr[number] host patterns had been used by North Korea-linked attack groups in earlier document operations. The report highlights the technique’s use of protected and hidden document content to make the lure appear legitimate while the template and payload chain executes.