Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Open Packaging Conventions - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Open Packaging Conventions

Office files like .docx, .xlsm, ... are Office Open XML (OOXML) files: a ZIP container containing XML files and possibly other file types.

OOXML files follow the Open Packaging Conventions (OPC) format.

OPC files contain a /[Content_Types].xml file (describing the MIME format of all parts of the OPC container) and a _rels/.rels file (documenting the relationships inside the OPC container).

Like this .xlsm file:

In my experience with OOXML files, /[Content_Types].xml is the first ZIP record, and _rels/.rels is the second ZIP record.

When an OOXML file has been modified with a ZIP utility, it's often the case that that order is no longer respected: files /[Content_Types].xml  and _rels/.rels  are no longer first and second (this has no impact on the parsing of these altered files by Office applications).

AFAIK, the OPC standard does not require these 2 files to be the first in the ZIP container.

Please post a comment if you know of OPC examples (there are other file formats than OOXML that are based on OPC) created by applications that do not put these 2 files first inside the ZIP container.


Didier Stevens
Senior handler
Microsoft MVP


652 Posts
ISC Handler
Oct 10th 2020
Two examples (bazaar):
5aa8791f8baedf09bd004e5305b0ba61b60faef7e281ed04fe07ef6dd571289c (.xlsx)
Based on one example:
(here a Python-Code to check all files of a directory could be helpfull)
> Two examples (bazaar):
> 0a74e76992fb20a3871245a26d14036f131eda3b0339db98b2ceecce5fbd90c0
> 5aa8791f8baedf09bd004e5305b0ba61b60faef7e281ed04fe07ef6dd571289c (.xlsx)

Do you know which applications were used to create these files?

652 Posts
ISC Handler
Indeed, I just tried LibreOffice. Thanks

652 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!