AhnLab analyzed a renewed targeted malicious Word document campaign using a Korean “payment request” lure that had also appeared in earlier activity. The document’s VBA macro was stored with an HTML extension and only executed after the user typed in the document, creating and running VBS files named desktop.ini under %AppData% and %AppData%\Microsoft and adding an Internet Explorer startup shortcut for persistence. The script fetched attacker-hosted content from smyun0272.blogspot.com and exfiltrated reconnaissance data such as running services, Office Excel version, pinned taskbar shortcuts, user, OS, and file-path information to alyssalove.getenjoyment.net. AhnLab assessed the activity as tied to the same suspected North Korean actor behind related targeted Word documents that reused the unusual aaaaaaaaaaaa VBA function.