ASEC found a malicious HWP file linked from a March 5 post recruiting students for a reunification-related course, where the HWP download was disguised as an application form. Opening the document created a normal decoy document, document.bat, scheduled-task XML files, BAT components, executable files, and manifest files under the TEMP path. Hyperlinks embedded in the document body launched document.bat, which renamed files, registered scheduled tasks, and executed the decoy to reduce user suspicion. The 0304.exe and 0304_1.exe components read manifest files to run additional BAT logic, reach an external URL, download more files, and execute attacker-controlled commands.