1 $What is the primary definition of malware in the context of digital evidence analysis?$

A.

Malicious software designed to disrupt, damage, or gain unauthorized access to a computer system

B.

Network protocols used for secure communication

C.

Software designed to improve system performance

D.

Hardware components that fail due to overheating

2 $Which of the following is a common technique used by attackers to spread malware via email?$

A.

Packet Sniffing

B.

SQL Injection

C.

Phishing

D.

Port Scanning

3 $What is a 'Drive-by Download'?$

A.

Unintended download of malicious code by visiting a compromised website

B.

Copying files from a USB stick

C.

Downloading software from a physical drive

D.

Manually downloading a file from an email

4 $Which term describes malicious advertisements used to distribute malware?$

A.

Adware

B.

Spyware

C.

Ransomware

D.

Malvertising

5 $What is the primary goal of Malware Forensics?$

A.

To design new antivirus software

B.

To understand the capabilities, origin, and impact of a malicious sample

C.

To increase network speed

D.

To repair broken hardware

6 $Which analysis type involves examining the malware without executing it?$

A.

Memory Forensics

B.

Behavioral Analysis

C.

Static Analysis

D.

Dynamic Analysis

7 $Which environment is most recommended for performing malware analysis to prevent infection of the host system?$

A.

The analyst's personal laptop

B.

An isolated Virtual Machine (VM) or Sandbox

C.

A public Wi-Fi network

D.

Production Server

8 $In Static Analysis, what is the purpose of calculating the file hash (MD5, SHA256)?$

A.

To execute the file safely

B.

To decrypt the file

C.

To compress the file size

D.

To identify the file uniquely and check against databases like VirusTotal

9 $What tool is commonly used in static analysis to extract readable text strings from a binary?$

A.

Strings

B.

Process Monitor

C.

Fiddler

D.

Wireshark

10 $What does 'packing' refer to in the context of malware?$

A.

Compressing or encrypting the executable to hide its code and evade detection

B.

Bundling malware with legitimate software

C.

Zipping a file for email

D.

Adding more features to the malware

11 $Which file format is the standard executable format for Windows, often analyzed during malware forensics?$

A.

Mach-O

B.

APK

C.

PE (Portable Executable)

D.

ELF

12 $When analyzing a suspicious PDF, what specific element is often looked for as a vector for malicious code?$

A.

Image resolution

B.

JavaScript

C.

Text formatting

D.

Page margins

13 $What is a common indicator of a malicious Microsoft Word document?$

A.

The file size being under 1MB

B.

The use of Arial font

C.

The document having a .docx extension

D.

The presence of VBA Macros (Visual Basic for Applications)

14 $Which tool is specifically designed to analyze the structure of OLE (Object Linking and Embedding) streams in Office documents?$

A.

Nmap

B.

Oledump.py

C.

Metasploit

D.

Burp Suite

15 $What is 'Dynamic Malware Analysis'?$

A.

Running the malware in a controlled environment to observe its behavior

B.

Checking the file creation date

C.

Reading the source code

D.

Scanning the file with an antivirus

16 $Which of the following is a risk associated with Dynamic Analysis?$

A.

The malware might detect the virtual environment and stop running

B.

It is only useful for text files

C.

It cannot identify network traffic

D.

It requires access to the source code

17 $What is the function of a 'snapshot' in a virtual machine during malware analysis?$

A.

To print the code

B.

To save the state of the VM so it can be reverted after infection

C.

To take a picture of the malware author

D.

To record the network traffic

18 $Which tool is widely used to monitor real-time file system, registry, and process activity on Windows?$

A.

Process Monitor (ProcMon)

B.

Putty

C.

FileZilla

D.

VLC

19 $In dynamic analysis, what does observing a change in the 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' registry key usually indicate?$

A.

The screen resolution is changing

B.

The browser is clearing cache

C.

The system is updating

D.

The malware is establishing persistence to run on startup

20 $What is 'Process Injection'?$

A.

Code belonging to one process being written into the address space of another process

B.

Installing a new process via CD

C.

Monitoring a process for errors

D.

Stopping a process efficiently

21 $What is a 'Mutex' (Mutual Exclusion) object often used for by malware?$

A.

To connect to the internet

B.

To ensure only one instance of the malware runs at a time

C.

To delete system logs

D.

To encrypt user files

22 $Which network behavior is characteristic of C2 (Command and Control) communication?$

A.

Periodic 'beaconing' signals to an external server

B.

Local printing traffic

C.

Windows Update downloads

D.

High bandwidth video streaming

23 $What is the purpose of using 'FakeNet' or 'INetSim' during dynamic analysis?$

A.

To hack into the malware author's computer

B.

To simulate internet services (DNS, HTTP) so malware thinks it is online

C.

To increase internet speed

D.

To block all network traffic permanently

24 $What is a Fileless Malware attack?$

A.

Malware that only targets empty files

B.

Malware that deletes all files on a drive

C.

Malware that exists primarily in memory without writing an executable file to the disk

D.

Malware transmitted via paper

25 $Which term refers to legitimate system tools (like PowerShell) abused by fileless malware?$

A.

Firmware

B.

LOLBins (Living off the Land Binaries)

C.

Bloatware

D.

Shareware

26 $Which of the following is a common entry point for fileless malware?$

A.

A physical CD-ROM

B.

Connecting a printer

C.

Installing a fresh OS

D.

Exploit kits targeting browser vulnerabilities

27 $What is the role of WMI (Windows Management Instrumentation) in fileless attacks?$

A.

It can be used to execute scripts and maintain persistence without files

B.

It manages the mouse pointer

C.

It acts as a firewall

D.

It is used for graphics rendering

28 $How does Domain Generation Algorithm (DGA) help malware?$

A.

It generates random domain names to rendezvous with the C2 server, evading blacklists

B.

It speeds up the infection process

C.

It generates strong passwords for the user

D.

It encrypts the hard drive

29 $Which tool is best suited for capturing and analyzing network packets during malware analysis?$

A.

RegEdit

B.

Resource Hacker

C.

Notepad++

D.

Wireshark

30 $What is 'import hashing' (Imphash)?$

A.

Hashing the file name

B.

Hashing the list of imported functions to identify related malware samples

C.

Hashing the user's password

D.

Hashing the network traffic

31 $What is a 'Trojan Horse'?$

A.

Hardware used to steal data

B.

Malware disguised as legitimate software to mislead users of its true intent

C.

Self-replicating malware

D.

Malware that locks the screen

32 $Which component of the PE header contains information about the compilation time of the malware?$

A.

Subsystem

B.

Time Date Stamp

C.

Pointer to Symbol Table

D.

Machine Type

33 $What does the term 'Obfuscation' mean in malware analysis?$

A.

Highlighting important code sections

B.

Making the code difficult for humans and analysis tools to understand

C.

Translating the code to English

D.

Deleting the code

34 $In the context of PDF analysis, what is a '/OpenAction'?$

A.

A command that specifies an action to perform immediately upon opening the document

B.

A command to close the file

C.

A font style

D.

A permission setting

35 $What is 'Sandboxing'?$

A.

Encrypting a hard drive

B.

Playing a game

C.

Cleaning the computer case

D.

Automated dynamic analysis in a secure environment

36 $Which of the following is a symptom of Ransomware?$

A.

The web browser opens multiple tabs

B.

The mouse moves slowly

C.

Files are encrypted and a payment note is displayed

D.

The computer shuts down randomly

37 $What is the primary difference between a Virus and a Worm?$

A.

Viruses require a host file and user action to spread; Worms are self-replicating and spread automatically

B.

Viruses encrypt files; Worms delete them

C.

Worms are only for Linux

D.

Viruses are hardware-based

38 $Why might an analyst check 'Imported Functions' (Imports) in the PE header?$

A.

To check the author's name

B.

To guess what the malware is capable of (e.g., networking, file manipulation)

C.

To see the file size

D.

To see the icon

39 $What does 'Shellcode' refer to in a malicious document?$

A.

The name of the file

B.

The visual layout of the document

C.

The password protection

D.

Machine code payload used to exploit a vulnerability

40 $Which tool allows an analyst to view active TCP and UDP connections in real-time on the host?$

A.

Calculator

B.

Paint

C.

Notepad

D.

TCPView

41 $What is 'DLL Injection'?$

A.

Forcing a process to load a malicious Dynamic Link Library (DLL)

B.

Scanning DLLs for viruses

C.

Renaming a DLL file

D.

Removing a DLL file

42 $What is the 'AutoOpen' macro in Word?$

A.

A macro that changes the font

B.

A macro that saves the file

C.

A macro that prints the file

D.

A macro that runs automatically when a document is opened

43 $How can fileless malware persist using the Windows Registry?$

A.

By disabling the mouse

B.

By storing malicious scripts in registry keys and invoking them via PowerShell

C.

By deleting the registry

D.

By changing the desktop background

44 $Which network protocol is commonly abused for data exfiltration because it is rarely blocked by firewalls?$

A.

ICMP

B.

DHCP

C.

ARP

D.

DNS (Domain Name System)

45 $What is the purpose of 'API Hooking' in malware?$

A.

To organize files

B.

To intercept function calls between the system and applications to modify or monitor behavior

C.

To speed up the internet

D.

To fix bugs in Windows

46 $Which section of a PE file typically contains the executable code?$

A.

.reloc

B.

.text

C.

.data

D.

.rsrc

47 $When analyzing a suspicious URL found in malware, what should an analyst do?$

A.

Open it in their personal browser immediately

B.

Ignore it

C.

Email the URL to friends

D.

Investigate it using reputation services or a safe sandbox environment

48 $What is the primary characteristic of a 'Rootkit'?$

A.

It displays ads

B.

It is designed to hide the existence of certain processes or programs from normal detection methods

C.

It spreads via USB

D.

It encrypts files

49 $What is 'Entropy' used for in static malware analysis?$

A.

To measure the file temperature

B.

To count the lines of code

C.

To measure the network speed

D.

To measure the randomness of data, helping identify packed or encrypted code

50 $Why is 'PowerShell' a frequent target for fileless malware?$

A.

It is a web browser

B.

It is not installed on most computers

C.

It has deep access to the Windows API and system management functions without needing new binaries

D.

It is a game engine

Unit 6 - Practice Quiz