AhnLab ASEC reports malicious Office documents using CVE-2021-40444 with North Korea-related lure filenames, showing attackers quickly adopting the MSHTML remote-code-execution vulnerability after its disclosure. The documents used external links and the MHTML protocol to reach a malicious URL, execute JavaScript through the Office/Internet Explorer rendering engine, download a CAB archive, and load a malicious INF-based DLL. The lure content referenced a reunification-related seminar scheduled for November 18, making the documents appear relevant to users interested in North Korea policy issues. AhnLab observed both documents contacting the same infrastructure and published representative hashes plus a defanged officeversion.mywebcommunity.org URL for detection and follow-up.