Document Steganography Hider
Hide text or files inside DOCX, XLSX, PPTX, or ODT documents using OOXML Custom XML Parts or ZIP comments. AES-256 encryption. 100% client-side.
Drop a document here or click to browse
DOCX · XLSX · PPTX · ODT · Max 200 MB
100% Client-Side Processing
Your document is parsed and rewritten in this browser tab using JSZip. Nothing is uploaded.
How to Hide a Message in a Word, Excel, or PowerPoint File (4 steps)
- Upload a DOCX, XLSX, PPTX, or ODT document (the carrier)
- Enter a text message or attach a file as the payload
- Pick a method: Custom XML Parts (survives MS Office re-save) or ZIP Comment (high speed, fragile)
- Optionally encrypt with a password — then click Encode and download the stego document
OOXML Embedding Methods Compared
| Method | Technique | Durability | Best For |
|---|---|---|---|
| Custom XML Parts | Adds an OOXML Custom Part + relationship | Survives MS Office re-save | Default — durable hiding |
| ZIP Comment | Embeds payload in ZIP central-directory comment | Fast, ~48KB, wiped on re-save in Office | Quick CTF-style transport |
| AES-256-GCM | PBKDF2 key derivation, random salt + IV | +32 bytes overhead | Encrypted payloads |
| OOXML formats | DOCX, XLSX, PPTX, ODT all share ZIP structure | Detected from file extension | Microsoft Office + LibreOffice + ODF |
Frequently Asked Questions
Will the document still open normally?
Yes. Custom XML Parts and ZIP comments are silently preserved by Microsoft Office, LibreOffice, and ODF readers — the document opens, prints, and edits identically.
Which method should I use?
Custom XML Parts. It's the only method that survives a recipient saving the document in Microsoft Office. ZIP Comment is faster but Office wipes it on save.
Is my document uploaded?
Never. JSZip and the Web Crypto API process everything inside this browser tab. Your document never leaves your device.
What's the maximum payload size?
ZIP Comment is capped at ~48KB. Custom XML Parts is effectively limited only by available memory — typically several MB works fine in-browser.
Can I hide a file, not just text?
Yes. Pick "Hide a File" on the payload step and choose any file. It's base64-encoded inside the OOXML structure and recovered byte-perfect by the decoder.
Why do I see the payload listed in [Content_Types].xml?
OOXML requires every part to be registered. The decoder uses this registration to find the payload — that's normal and required for the document to open.
Does it work with password-protected DOCX files?
Not yet. Password-protected OOXML files are encrypted at the ZIP level, so JSZip cannot read them in the browser. Decrypt the document first, then encode.