2026-03-23 –, TALKS
This session focuses on identity-driven cyber investigations using malicious documents as the primary intelligence source. Rather than treating documents merely as delivery mechanisms, the talk explores how weaponized files especially PDFs, Word, and Excel documents are intentionally crafted to harvest identities, map victims, and support large-scale infostealer and credential theft campaigns.
Attendees will explore how malicious documents abuse embedded scripts, macros, metadata, and obfuscation techniques to evade detection while silently collecting identity-related data. The session breaks down how these files act as both an initial access vector and a rich source of intelligence, revealing attacker behavior, targeting strategies, and operational patterns.
Through real-world case studies, the talk demonstrates how OSINT techniques can be applied directly to malicious documents to uncover attacker infrastructure, command-and-control relationships, reused artifacts, leaked credentials, and victim profiling indicators. By correlating file metadata, extracted indicators, and open-source intelligence, participants will learn how to transform a single malicious document into a full identity investigation.
By the end of the session, attendees will understand how to investigate malicious documents beyond the payload, using them as intelligence artifacts to trace identity abuse, campaign evolution, and attacker tradecraft.
Outline
1 - Introduction & Context
- Why identity is the real target behind document-based attacks.
- The role of malicious documents in modern infostealer campaigns.
2 - Malicious Documents as Identity Attack Vectors
- PDFs, Word, and Excel as weaponized platforms.
- Common identity theft objectives in document-based attacks.
- From initial access to credential harvesting.
3 - Understanding Malicious Document Structures
- High-level overview of PDF, Word, and Excel internals.
- Execution flow: scripts, macros, embedded objects, and actions.
- Where and how identity-harvesting logic is hidden.
4 - Dissecting a Malicious Document (Live Demo)
- Step-by-step analysis of a weaponized document.
- Practical use of tools such as:
- pdfid, pdf-parser, pdftk and others
5 - Encoding, Obfuscation, and Evasion Techniques ( Demo )
- Common encoding and obfuscation methods used in documents.
- Layered techniques to bypass detection engines.
- How attackers protect identity-stealing workflows.
6 - OSINT: From Document to Identity Infrastructure ( Demo)
- Extracting indicators from malicious documents.
- Pivoting to OSINT sources for enrichment.
- Identifying Command & Control endpoints and identity abuse infrastructure.
- Correlating domains, emails, reused artifacts, and leaked data.
7 - Building an Identity-Focused Investigation
-Mapping document artifacts to attacker behavior.
- Campaign tracking and attribution signals.
- Using document intelligence to support IR, SOC, and Threat Intel teams.
8 - Conclusion & Key Takeaways
- Turning malicious documents into intelligence assets.
- Investigating identity abuse beyond the payload.
- Final insights and open discussion.
I’ve been working as Head of Technical Advocacy at SCYTHE, Founder & Investor at CROSS-INTEL, Advisor & Investor at Sherlockeye, BSides Porto Organizer, Red Team Village Director (DEF CON), Senior Advisor Raices Cyber Academy, Founder of Red Team Community (Brazil and LATAM), AWS Community Builder, Snyk Ambassador, Application Security Specialist and Hacking is NOT a crime Advocate. International Speaker at Security and New technologies events in many countries such as US (Black Hat & Defcon), Canada, France, Spain, Germany, Poland, Black Hat MEA - Middle-East - and others, I’ve served as University Professor in Master Degree in Portugal, Graduation and MBA courses at Brazilian colleges, in addition, I'm Creator and Instructor of the Course - Malware Attack Types with Kill Chain Methodology (PentestMagazine), PowerShell and Windows for Red Teamers(PentestMagazine) and Malware Analysis - Fundamentals (HackerSec).