Norfolk Infosec walks through analysis of a malicious Hangul Word Processor document associated with DPRK-linked activity and prior ESTsecurity reporting. The sample includes published MD5, SHA1, and SHA256 values and, when opened, spawns Internet Explorer while making a network request to a compromised Korean website. The analysis focuses on the HWP BIN0003.eps stream: the zlib-compressed EPS content is decompressed, modified to print a second layer, and yields shellcode beginning with a NOP sled for further emulation and debugging. The report is useful for defenders because it documents practical HWP/EPS exploit-analysis steps for malware aimed at Hangul Office environments without asserting a named vendor cluster beyond the source wording.