AhnLab ASEC observed malicious HWP documents that create script files in the Windows Startup folder so payload activity runs after reboot rather than immediately on document execution. One lure used a Korean National Intelligence Studies Association chair election notice and embedded an EPS object that generated a startup script such as method106.0.2.vbs. The attackers were seen testing multiple script formats, including VBS, VBE, JS, and WSF, likely to evade V3 detection and other security products. The technique matters because the malicious behavior is delayed and split between the HWP/EPS content and the startup script, making document execution plus new Startup-folder scripts an important detection pattern.