Mandiant describes a method for clustering malicious Office Open XML documents by ZIP local-file-header metadata such as CRC-32 values, uncompressed sizes, and embedded file names. The DPRK-relevant example uses a YARA rule to detect OOXML documents carrying a specific PNG image found in files that drop LATEOP and are attributed to groups including UNC1130, which Mandiant identifies as a North Korean state-sponsored actor. The technique is presented as a repeatable way for analysts to find related documents that reuse the same embedded content over time, while other examples in the article cover non-DPRK activity such as FIN7.