AhnLab ASEC reported malicious Word documents impersonating AhnLab and using cryptocurrency-themed filenames to persuade recipients to enable macros. The initial DOCX fetched an external DOTM template through word/_rels/settings.xml.rels, then used a Windows Media Player open-state event rather than a standard AutoOpen macro to trigger VBA execution. The macro downloaded architecture-specific payloads from naveicoipc[.]tech paths, injected malware into a child word.exe process, and dropped persistence components such as USOService.exe under %ProgramData%\USOShared\Logs with an HKCU Run key. The technique shows continued variation in Korean-language document lures and macro execution methods intended to evade simple AutoOpen-focused detection.