AhnLab ASEC observed malicious Hangul HWP documents circulating with content related to the upcoming second U.S.–North Korea summit. The documents contained a vulnerable EPS object whose shellcode is decoded with a one-byte XOR key and executed through the normal gswin32c.exe EPS handler on unpatched systems. The shellcode injects into Internet Explorer and attempts to download and run a second-stage DLL from itoassn.mireene.co.kr/shop/shop/mail/com/mun/down[.]php. AhnLab detected the HWP document and downloaded DLL as Trojan/Win32.Hwdoor.