AhnLab observed COVID-19 prediction-themed phishing distributing malicious Excel documents that entice users to enable macros with a “Predict” calculation button. The macro contains obfuscated downloader commands that use curl and certutil -decode to fetch a Base64-encoded payload from WordPress-style category.php paths such as refeeldominicana.nwideas.com/wp-content/uploads/chimps/category.php. AhnLab also linked similar HWP activity that downloads and decodes acview.dll from cooper9.com before launching it with rundll32. The payload was no longer available during analysis, but the report provides V3 detections, hashes, and related download URLs for hunting.