A malicious HWP document themed as a National Security Council Policy Advisory Committee plenary meeting plan was found after likely use in attacks, with metadata showing author and last-saved values of yoonjh337 and cha0520. The document contains an embedded EPS file with exploit code and shellcode that decrypts additional code, launches iexplorer.exe in suspended mode, and injects the next-stage shellcode. The injected shellcode decrypts embedded data and attempts to download and run another file, although the source notes the download was no longer active at analysis time. The report provides hashes for the HWP sample and identifies hxxp://padosori[.]co[.]kr/_controller/admin/upload_sec/down[.]php as C2-related infrastructure for defender validation.