SecAI analyzed a Kimsuky MSC lure that opened a forged document prompt, then released a PE file and encrypted configuration data for follow-on execution. The embedded code downloaded a decoy document and malicious components into user directories, created a scheduled task, and used pest.exe to parse an adjacent manifest value before decoding and running a VBS script. That script attempted to retrieve staged content from Google Drive, write it to sim.sid, rename it to sim.bat on later runs, and continue the payload chain, matching SecAI's broader 2024 tracking of Kimsuky phishing and remote-control activity.