AhnLab reports a maritime-themed malicious HWP that belongs to a broader set of recent HWP lure categories and changes its EPS pattern by leaving the EPS code unencoded, likely to vary detection. When the shellcode executes, it creates security.vbs under %AppData%\Microsoft\Internet Explorer and uses it to download a Base64-encoded DLL saved as security.db. The DLL is executed through regsvr32.exe after retrieval from techimplement.com/wp-content/uploads/wp-logs/mailchimp.php. The report highlights targeted malicious Hangul documents delivered to organizations and provides V3 detections plus the MD5 1c669d4b2bea6b56dd6e00adabc6319f.