AhnLab reports a malicious HWP document distributed through a unification education application post, where the downloaded file masquerades as a legitimate application form while dropping BAT, executable, manifest, and scheduled-task XML components into the temporary directory. The malware infection flow uses embedded hyperlinks and document.bat execution to rename components, maintain persistence, and make malicious activity harder for victims to notice.