Powerpoint Possible Threat-cve_2017_0199.xcod!exploit ?

Hello,

Last night, the Forticlient VPN/antivirus detected a threat on my work computer. It was from a Powerpoint file. I had downloaded the Powerpoint from a webinar from a trusted source. The source is actually a vendor called TPGI. They create accessiblity products and they are well known in the market. It was strange and made no sense. Below is the log from Forticlient:-

Scan started at Wednesday, March 22, 2023 7:30:43 PM.
av_engine: 6.00266; vir_sig: 91.01661; vir_sig_extd: 91.01635; vir_sig_extm: 1.00000; vir_sig_heuristics: 4.00777; mdare: 2.00068; vir_sig_mdare: 1.00000; ems_av_wl_engine: 7.00042; ems_av_wl_sig: 1.00040; ; ems_av_wl_src: FCTEMS1647738692;
C:\Users\ccoprs\Downloads\Basics of Accessibility Testing - 12-13-2022 (2).pptx, virus found: MSOffice/CVE_2017_0199.XCOD!exploit, action: Remove/quarantine
Scan finished at Thursday, March 23, 2023 1:18:10 AM.
Total files scanned 698626, infected 1. Total boot blocks scanned 4, infected 0.
The current scan type is [Scheduled Full System Scan].

I will also attach the log. I originally downloaded the powerpoint from an email from TPGI. This is the first alert I ever got related to TPGI. As I regularly watch their training webinars and download their accompanying slides/ ppowerpoints. So the threat found is called CVE_2017_0199.XCOD!exploit. I googled and didn't find much about it except from Trend Micro. I am using Powerpoint 2016 by the way. It's what they have on the work computer. I read that a more recently updated Powerpoint might fix this vulnerability. But this threat is old as well because back before 2016, it was usually sent via email attachment from unknown source. This Powerpoint I know who it comes from and who created it -the Presenter/ Online educator. The link to the file is https-3A__email.tpgi.com_e3t_Ctc_DM-2B113_cSHL304_VWzFYk10GmykVHNmkJ8f-5FyBcW3wqskQ4TFm6WN6WXHZ33lLB3V1-2DWJV7CgKWJW3XCDqQ2mWTyJW6RlTS93-2Dg2fgW6JdrYp2vYnlbW7lPS8F2zvP-5FDW4SL77588Wx2xW57k5Hh4QnL5xW1cBQPj2nRTQ7W5yMZts2QgcWMW1xfS761dn5MYN1fgH2lPSPxjN3Nnn5DWN43WW2fVyk-5F2ZRvJSW8jJ0yv1vKC6pW95943X4zJkc5TwDjn3d04t5W1Z8k842XDz4jW8cWl0T3ZRvjvW3GKNPz1RXp5SVSZXb01LCsFcW5Gj2lS808-5FwK38pv1&d=DwMFaQ&c=w_KKIrnflabZu7RVO9QOig&r=EMMw9OfMAnMFSLLv0YvdB4liWoGzVm2zCNjmMjHaX3E&m=c4oGVWlq3IJpSwhiAML64mCAo5TT3_0Dyg_WUsJSngsWgLADWLMUhggUK9fNe77y&s=yxykl6HDA_c2tuj1cseWIXxTlBwauMESu39MWYRMIYI&e=

See if you can download and analyse the file. I'm not allowed to install programs since this is my work pc. So I couldn't download MalwareBytes or Superantispyware. Instead I used online scanners. Jotti and Metadefender Cloud didn't find anything (screenshots attached). This is Hybrid Analysis report - https://hybrid-analysis.com/sample/53c2569cf7d19797b06ec311cdb1a9360128901143e88d1cbe50cae29ee11672

It found a suspicious threat in a Falcon Sandbox report. I tried to read it but I don't fully understand it but it's an in-depth report.

Virustotal found Exploit.Win32-Doc.Save.CVE-2022-30190 in Sangfor Engine Zero (security vendor). Here is the link to the report - https://www.virustotal.com/gui/file/53c2569cf7d19797b06ec311cdb1a9360128901143e88d1cbe50cae29ee11672.

I don't understand the behaviour analysis in the Virustotal report. This is why I've come to the forum because I want to understand if it's an authentic threat and how it works. I only looked at the slides by the way. I never played any animations. Can't recall if there are any animations. The powerpoint wasn't delivered as a typical phishing email from an unknown sender. I know the sender(s) so why would they even put this threat purposely in a presentation. The presentation was also shared with other virtual attendees. I have had this Powerpoint file on my work computer for 3 months now and Forticlient runs regular automated scans and never detected anything until last night. Are these false positives? In any case, Forticlient quarantined the threat. I just changed my email password just in case. Trend Micro said this threat is a screen/key logger but I'm not sure if that is true. I can't understand the reports. Thanks in advance for any insight.

 

Sorry, here is a better link to download the Poweroint - https://7192965.fs1.hubspotusercont...5Y7cqOBMokryN4_L6H4cr8nDqsGbNG28sGIW3gl_Sk4yY

 

Just found more info on this at Microsoft -
Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability
https://msrc.microsoft.com/blog/202...rosoft-support-diagnostic-tool-vulnerability/
Would updated Windows 10 then protect against this vulnerability?

 

Ok, thanks for replying Tim. So does that mean its not really malicious since Virustotal found that. Also my Fortinet alerted me to it as well. I'm wondering if Windows 10 is up to date that means it should not have done anything?