ASEC analyzed a malicious Word document disguised as a product introduction that appeared to target South Korean logistics or shopping-related organizations. The document reused metadata and macro-enablement lures from a prior information-theft Word campaign, suggesting the attacker modified an existing template and continued the same delivery pattern. When macros executed, the document downloaded BAT, VBS, CAB, and a second Word file from manage-box.com, staged scripts under C:\Users\Public\Documents, registered persistence through HKCU Run, and used safemaners.com for additional downloads and exfiltration. The script chain collected directory listings, IP information, task lists, and system information, and ASEC noted the attacker redirected malicious domains to Naver Mail to make infrastructure appear legitimate.