StrangerealIntel analyzed an APT37-themed malicious document that uses an auto-open macro to decode an embedded next-stage payload with XOR 0xFF, save it in the user profile, and launch it with a C2 URL. The second stage is a UPX-packed PE loader that checks debugging and system architecture, decodes a custom base64-like payload into a CAB file, and uses a fileless UAC bypass based on token impersonation from wusa.exe. The elevated chain extracts files, creates a Windows Print Service-style service for persistence, deletes staging artifacts, and later downloads a final data file containing FTP credentials. The implant collects system information and file listings, encodes them with the custom algorithm, and sends them over FTP, while the author notes overlap with North Korean macro tooling and earlier Lazarus/Konni-style TTPs.