The malicious document uses template injection to download a remote template from the following url:
Upon opening the file, three files are dropped into the victim’s machine:
The shell code uses the Cobalt Strike Malleable C2 feature with a jquery Malleable C2 profile to download the second payload from “time.updateeset[.]com”.
This technique has been used by two other recent Chinese APTs—Mustang Panda and APT41.