ASEC observed a targeted malicious Word document campaign that impersonated a Korean summer conference administrator and used a bio-template lure delivered by email. The document contained a macro that did not trigger on open, but executed after the user typed in the document, downloading a VBS payload as %APPDATA%\desktop.ini from daewon3765.cafe24.com and launching it via Excel4Macro and wscript. Related Blogspot-hosted script logic modified Word macro-warning settings, collected host information such as running services, recent files, user and OS details, Office and .NET versions, desktop files, and pinned taskbar entries, and sent data to C2 infrastructure that shifted from daewon3765.cafe24.com to taesan109.myartsonline.com. Shared document metadata and script functionality link the activity to the earlier Korean payment-request lure described by AhnLab.