Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Open Packaging Conventions - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Open Packaging Conventions

Office files like .docx, .xlsm, ... are Office Open XML (OOXML) files: a ZIP container containing XML files and possibly other file types.

OOXML files follow the Open Packaging Conventions (OPC) format.

OPC files contain a /[Content_Types].xml file (describing the MIME format of all parts of the OPC container) and a _rels/.rels file (documenting the relationships inside the OPC container).

Like this .xlsm file:

In my experience with OOXML files, /[Content_Types].xml is the first ZIP record, and _rels/.rels is the second ZIP record.

When an OOXML file has been modified with a ZIP utility, it's often the case that that order is no longer respected: files /[Content_Types].xml  and _rels/.rels  are no longer first and second (this has no impact on the parsing of these altered files by Office applications).

AFAIK, the OPC standard does not require these 2 files to be the first in the ZIP container.

Please post a comment if you know of OPC examples (there are other file formats than OOXML that are based on OPC) created by applications that do not put these 2 files first inside the ZIP container.


Didier Stevens
Senior handler
Microsoft MVP


640 Posts
ISC Handler
Oct 10th 2020
Two examples (bazaar):
5aa8791f8baedf09bd004e5305b0ba61b60faef7e281ed04fe07ef6dd571289c (.xlsx)
Based on one example:
(here a Python-Code to check all files of a directory could be helpfull)
> Two examples (bazaar):
> 0a74e76992fb20a3871245a26d14036f131eda3b0339db98b2ceecce5fbd90c0
> 5aa8791f8baedf09bd004e5305b0ba61b60faef7e281ed04fe07ef6dd571289c (.xlsx)

Do you know which applications were used to create these files?

640 Posts
ISC Handler
Indeed, I just tried LibreOffice. Thanks

640 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!