ASEC analyzed a malicious HWP document disguised as a COVID-19 emergency relief personal-information consent form, apparently edited from a legitimate document and last modified in early October. The file contains an encoded EPS/PostScript object that decrypts to shellcode, reusing components linked to a recent airline cover-letter-themed RTF and infrastructure seen in a 2019 malicious HWP case. The shellcode was designed to retrieve additional payloads from gozdeelektronik[.]net paths ending in movie.png and movie.jpg and inject them into explorer.exe, although the payloads were unavailable during analysis. The source notes that the EPS vulnerability was patched in 2017, limiting execution on fully updated HWP installations, and AhnLab detects the activity as Malware/MDP.Behavior.M2411.