AhnLab analyzed nine malicious Hangul Word Processor documents that used a known HWP vulnerability and were reportedly distributed as email attachments to specific recipients. Each document carried the same malicious file, which installed a DLL under the system directory as a randomly named Windows service and included both backdoor-style behavior and destructive functions. The payload used a registry value and local system time check to decide when to overwrite the MBR, replacing 512 bytes and showing a “Who Am I?” message on reboot. It also searched drive letters A through Z for selected file extensions and truncated matching files to 4 KB filled with null bytes. The report provides MD5 hashes for the exploit documents and the Win32 destroyer payload, supporting defensive validation and detection.