Document Steganography Extractor
Extract hidden payloads from DOCX/XLSX/PPTX/ODT documents. Auto-detects Custom XML Parts and ZIP Comments. AES-256 decrypt + CTF flag detection.
Drop a document here or click to browse
DOCX · XLSX · PPTX · ODT · Max 200 MB
100% Client-Side Processing
Your document is parsed and rewritten in this browser tab using JSZip. Nothing is uploaded.
How to Decode a Steganographic Office Document (4 steps)
- Upload the DOCX, XLSX, PPTX, or ODT file you suspect carries hidden data
- Optionally enter a decryption password (leave blank for unencrypted payloads)
- Click Decode — the tool tries Custom XML Parts and ZIP Comment automatically
- Review the extracted message, file, or anomaly score
OOXML Decoding Methods
| Method | Technique | Reliability | Best For |
|---|---|---|---|
| Custom XML Parts | Looks for /customXml/ep_payload.xml + custom relationships | Most reliable — survives MS Office re-save | Default — encoder companion output |
| ZIP Comment | Reads ZIP central-directory comment via JSZip | Fast, ~48KB max | Quick payloads, CTF challenges |
| AES-256-GCM | Decrypts the recovered payload with PBKDF2-derived key | Wrong password silently rejected (plausible deniability) | Encrypted hidden data |
| Anomaly score | Combines ZIP comment, custom relationship, payload kind | 0–100 forensic verdict | Confirming hidden data even without extraction |
Frequently Asked Questions
What documents does this decoder support?
DOCX, XLSX, PPTX, and ODT files — all OOXML/ODF ZIP-based formats. Password-protected documents need to be decrypted first.
Is my document uploaded?
Never. JSZip and the Web Crypto API process everything in your browser tab. Your document never leaves your device.
What if no payload is found?
The anomaly score still tells you whether the document looks suspicious — custom relationships, ZIP comments, or unusual entries all bump the score. You may need to try a different decoder or inspect the ZIP manually.
Why is the output garbled?
The payload was probably encrypted — enter the password used during encoding. Wrong passwords return garbage rather than an error (plausible deniability).
Can it find CTF flags automatically?
Yes. Output is scanned for FLAG{}, HTB{}, picoCTF{}, CTF{}, and CHTB{} patterns. Hits are highlighted at the top of the result.
Why don't I see the deep ZIP structure visualizer?
The full forensic visualizer (Custom Parts Inspector, XML Attribute Scanner, Hidden Text Detector) is on the roadmap. Today's decoder ships the two methods that match the encoder, plus the anomaly score.