1 $What is the primary definition of malware in the context of digital evidence analysis?$

A.

Software designed to improve system performance

B.

Malicious software designed to disrupt, damage, or gain unauthorized access to a computer system

C.

Hardware components that fail due to overheating

D.

Network protocols used for secure communication

2 $Which of the following is a common technique used by attackers to spread malware via email?$

A.

Port Scanning

B.

Phishing

C.

SQL Injection

D.

Packet Sniffing

3 $What is a 'Drive-by Download'?$

A.

Downloading software from a physical drive

B.

Unintended download of malicious code by visiting a compromised website

C.

Manually downloading a file from an email

D.

Copying files from a USB stick

4 $Which term describes malicious advertisements used to distribute malware?$

A.

Adware

B.

Malvertising

C.

Spyware

D.

Ransomware

5 $What is the primary goal of Malware Forensics?$

A.

To repair broken hardware

B.

To design new antivirus software

C.

To understand the capabilities, origin, and impact of a malicious sample

D.

To increase network speed

6 $Which analysis type involves examining the malware without executing it?$

A.

Dynamic Analysis

B.

Static Analysis

C.

Behavioral Analysis

D.

Memory Forensics

7 $Which environment is most recommended for performing malware analysis to prevent infection of the host system?$

A.

Production Server

B.

The analyst's personal laptop

C.

An isolated Virtual Machine (VM) or Sandbox

D.

A public Wi-Fi network

8 $In Static Analysis, what is the purpose of calculating the file hash (MD5, SHA256)?$

A.

To decrypt the file

B.

To execute the file safely

C.

To identify the file uniquely and check against databases like VirusTotal

D.

To compress the file size

9 $What tool is commonly used in static analysis to extract readable text strings from a binary?$

A.

Strings

B.

Wireshark

C.

Process Monitor

D.

Fiddler

10 $What does 'packing' refer to in the context of malware?$

A.

Zipping a file for email

B.

Compressing or encrypting the executable to hide its code and evade detection

C.

Adding more features to the malware

D.

Bundling malware with legitimate software

11 $Which file format is the standard executable format for Windows, often analyzed during malware forensics?$

A.

ELF

B.

PE (Portable Executable)

C.

Mach-O

D.

APK

12 $When analyzing a suspicious PDF, what specific element is often looked for as a vector for malicious code?$

A.

Text formatting

B.

JavaScript

C.

Image resolution

D.

Page margins

13 $What is a common indicator of a malicious Microsoft Word document?$

A.

The use of Arial font

B.

The presence of VBA Macros (Visual Basic for Applications)

C.

The file size being under 1MB

D.

The document having a .docx extension

14 $Which tool is specifically designed to analyze the structure of OLE (Object Linking and Embedding) streams in Office documents?$

A.

Oledump.py

B.

Nmap

C.

Metasploit

D.

Burp Suite

15 $What is 'Dynamic Malware Analysis'?$

A.

Reading the source code

B.

Running the malware in a controlled environment to observe its behavior

C.

Checking the file creation date

D.

Scanning the file with an antivirus

16 $Which of the following is a risk associated with Dynamic Analysis?$

A.

The malware might detect the virtual environment and stop running

B.

It requires access to the source code

C.

It cannot identify network traffic

D.

It is only useful for text files

17 $What is the function of a 'snapshot' in a virtual machine during malware analysis?$

A.

To take a picture of the malware author

B.

To save the state of the VM so it can be reverted after infection

C.

To record the network traffic

D.

To print the code

18 $Which tool is widely used to monitor real-time file system, registry, and process activity on Windows?$

A.

Process Monitor (ProcMon)

B.

Putty

C.

FileZilla

D.

VLC

19 $In dynamic analysis, what does observing a change in the 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' registry key usually indicate?$

A.

The system is updating

B.

The malware is establishing persistence to run on startup

C.

The browser is clearing cache

D.

The screen resolution is changing

20 $What is 'Process Injection'?$

A.

Installing a new process via CD

B.

Code belonging to one process being written into the address space of another process

C.

Stopping a process efficiently

D.

Monitoring a process for errors

21 $What is a 'Mutex' (Mutual Exclusion) object often used for by malware?$

A.

To encrypt user files

B.

To ensure only one instance of the malware runs at a time

C.

To connect to the internet

D.

To delete system logs

22 $Which network behavior is characteristic of C2 (Command and Control) communication?$

A.

High bandwidth video streaming

B.

Periodic 'beaconing' signals to an external server

C.

Local printing traffic

D.

Windows Update downloads

23 $What is the purpose of using 'FakeNet' or 'INetSim' during dynamic analysis?$

A.

To increase internet speed

B.

To simulate internet services (DNS, HTTP) so malware thinks it is online

C.

To hack into the malware author's computer

D.

To block all network traffic permanently

24 $What is a Fileless Malware attack?$

A.

Malware that deletes all files on a drive

B.

Malware that exists primarily in memory without writing an executable file to the disk

C.

Malware transmitted via paper

D.

Malware that only targets empty files

25 $Which term refers to legitimate system tools (like PowerShell) abused by fileless malware?$

A.

LOLBins (Living off the Land Binaries)

B.

Bloatware

C.

Firmware

D.

Shareware

26 $Which of the following is a common entry point for fileless malware?$

A.

A physical CD-ROM

B.

Exploit kits targeting browser vulnerabilities

C.

Connecting a printer

D.

Installing a fresh OS

27 $What is the role of WMI (Windows Management Instrumentation) in fileless attacks?$

A.

It acts as a firewall

B.

It is used for graphics rendering

C.

It can be used to execute scripts and maintain persistence without files

D.

It manages the mouse pointer

28 $How does Domain Generation Algorithm (DGA) help malware?$

A.

It generates random domain names to rendezvous with the C2 server, evading blacklists

B.

It encrypts the hard drive

C.

It speeds up the infection process

D.

It generates strong passwords for the user

29 $Which tool is best suited for capturing and analyzing network packets during malware analysis?$

A.

Wireshark

B.

Notepad++

C.

Resource Hacker

D.

RegEdit

30 $What is 'import hashing' (Imphash)?$

A.

Hashing the file name

B.

Hashing the list of imported functions to identify related malware samples

C.

Hashing the user's password

D.

Hashing the network traffic

31 $What is a 'Trojan Horse'?$

A.

Self-replicating malware

B.

Malware disguised as legitimate software to mislead users of its true intent

C.

Malware that locks the screen

D.

Hardware used to steal data

32 $Which component of the PE header contains information about the compilation time of the malware?$

A.

Time Date Stamp

B.

Machine Type

C.

Subsystem

D.

Pointer to Symbol Table

33 $What does the term 'Obfuscation' mean in malware analysis?$

A.

Deleting the code

B.

Making the code difficult for humans and analysis tools to understand

C.

Translating the code to English

D.

Highlighting important code sections

34 $In the context of PDF analysis, what is a '/OpenAction'?$

A.

A command to close the file

B.

A command that specifies an action to perform immediately upon opening the document

C.

A permission setting

D.

A font style

35 $What is 'Sandboxing'?$

A.

Playing a game

B.

Automated dynamic analysis in a secure environment

C.

Cleaning the computer case

D.

Encrypting a hard drive

36 $Which of the following is a symptom of Ransomware?$

A.

The mouse moves slowly

B.

Files are encrypted and a payment note is displayed

C.

The web browser opens multiple tabs

D.

The computer shuts down randomly

37 $What is the primary difference between a Virus and a Worm?$

A.

Viruses encrypt files; Worms delete them

B.

Viruses require a host file and user action to spread; Worms are self-replicating and spread automatically

C.

Worms are only for Linux

D.

Viruses are hardware-based

38 $Why might an analyst check 'Imported Functions' (Imports) in the PE header?$

A.

To see the file size

B.

To guess what the malware is capable of (e.g., networking, file manipulation)

C.

To check the author's name

D.

To see the icon

39 $What does 'Shellcode' refer to in a malicious document?$

A.

The visual layout of the document

B.

Machine code payload used to exploit a vulnerability

C.

The name of the file

D.

The password protection

40 $Which tool allows an analyst to view active TCP and UDP connections in real-time on the host?$

A.

TCPView

B.

Notepad

C.

Calculator

D.

Paint

41 $What is 'DLL Injection'?$

A.

Removing a DLL file

B.

Forcing a process to load a malicious Dynamic Link Library (DLL)

C.

Renaming a DLL file

D.

Scanning DLLs for viruses

42 $What is the 'AutoOpen' macro in Word?$

A.

A macro that runs automatically when a document is opened

B.

A macro that saves the file

C.

A macro that prints the file

D.

A macro that changes the font

43 $How can fileless malware persist using the Windows Registry?$

A.

By deleting the registry

B.

By storing malicious scripts in registry keys and invoking them via PowerShell

C.

By changing the desktop background

D.

By disabling the mouse

44 $Which network protocol is commonly abused for data exfiltration because it is rarely blocked by firewalls?$

A.

DNS (Domain Name System)

B.

ARP

C.

DHCP

D.

ICMP

45 $What is the purpose of 'API Hooking' in malware?$

A.

To fix bugs in Windows

B.

To intercept function calls between the system and applications to modify or monitor behavior

C.

To speed up the internet

D.

To organize files

46 $Which section of a PE file typically contains the executable code?$

A.

.text

B.

.data

C.

.rsrc

D.

.reloc

47 $When analyzing a suspicious URL found in malware, what should an analyst do?$

A.

Open it in their personal browser immediately

B.

Investigate it using reputation services or a safe sandbox environment

C.

Ignore it

D.

Email the URL to friends

48 $What is the primary characteristic of a 'Rootkit'?$

A.

It displays ads

B.

It is designed to hide the existence of certain processes or programs from normal detection methods

C.

It encrypts files

D.

It spreads via USB

49 $What is 'Entropy' used for in static malware analysis?$

A.

To measure the file temperature

B.

To measure the randomness of data, helping identify packed or encrypted code

C.

To measure the network speed

D.

To count the lines of code

50 $Why is 'PowerShell' a frequent target for fileless malware?$

A.

It is not installed on most computers

B.

It has deep access to the Windows API and system management functions without needing new binaries

C.

It is a game engine

D.

It is a web browser

Unit 6 - Practice Quiz