GREM Exam Questions
192 real GREM exam questions with expert-verified answers and explanations. Page 1 of 4.
- Question #1
When analyzing a PDF file for malicious content, why is it important to examine the file's metadata?
- Question #2
In analyzing macros, why is it important to examine the API calls made by the macros?
- Question #3
You are analyzing malware and notice a complex sequence of conditional branches and JMP instructions. The malware seems to randomly alter its execution flow based on certain condit...
- Question #4
Which tool is most commonly used to analyze JavaScript embedded within a malicious PDF?
- Question #5
What is the primary goal of static analysis in malware reverse engineering?
- Question #6
You are analyzing a malware sample in a debugger and notice the use of the CALL instruction followed by the manipulation of the EAX register. You suspect the malware is using custo...
- Question #7
When encountering obfuscated JavaScript within a webpage, what is the initial step an analyst should take?
- Question #8
Which tool is commonly used to extract metadata from a suspected malware file without executing it?
- Question #9
Which of the following behaviors could indicate that a macro in an Office document is malicious? (Choose two)
- Question #10
How can obfuscated call instructions within malware be identified and analyzed? (Choose Two)
- Question #11
In malware analysis, what does repairing unpacked malware refer to?
- Question #12
What techniques are commonly used by attackers in malicious RTF files? (Choose two)
- Question #13
In assembly language, which instruction is commonly used for conditional execution?
- Question #14
Which actions are typically performed by .NET malware and should be analyzed during reverse engineering? (Choose Two)
- Question #15
Which of the following indicators should raise suspicion when analyzing a PDF? (Choose Two)
- Question #16
In the context of PDF analysis, what does the term "JavaScript deobfuscation" typically refer to?
- Question #17
What is one of the primary purposes of misdirection techniques used by malware?
- Question #18
Which of the following file types can potentially be embedded within a malicious PDF? (Choose Two)
- Question #19
Which instructions are commonly used in the prologue of a function in x86 assembly? (Choose two)
- Question #20
When analyzing malicious software, what is an indicator of anti-emulation techniques being used?
- Question #21
What characteristic feature would analysts typically NOT expect to find in packed malware?
- Question #22
Which section in a PDF file typically stores the most important structure and object references for analysis?
- Question #23
What is the typical behavior of a malicious RTF file when opened in a vulnerable application?
- Question #24
In PDF analysis, what is the significance of detecting a '/Launch' action within the document?
- Question #25
Which of the following Windows API functions is commonly used by malware to alter the flow of execution within another process? (Choose Two)
- Question #26
What is a common indicator that a function in assembly language is about to return a value?
- Question #27
What is the primary reason attackers pack malware binaries?
- Question #28
API hooking implemented by malware is primarily used for which purpose?
- Question #29
What is a key indicator that JavaScript code has been obfuscated?
- Question #30
When analyzing a Windows executable, which of the following indicators most strongly suggests that the file is packed?
- Question #31
When using a debugger on .NET malware, what would be a primary reason to set a breakpoint at a specific method?
- Question #32
What is the primary objective of conducting a static analysis on a suspected malware file?
- Question #33
You are analyzing a malware sample that appears to inject malicious code into the explorer.exe process. During execution, the malware creates a remote thread in explorer.exe and us...
- Question #34
You are analyzing a malware sample in IDA Pro and identify a suspicious function written in assembly. The function uses multiple PUSH and MOV instructions and ends with a RET. How...
- Question #35
What does the presence of DllImport attribute indicate in a .NET assembly? (Choose Two)
- Question #36
In the context of .NET reverse engineering, what is the primary purpose of examining the Intermediate Language (IL) code?
- Question #37
What is the significance of the RET instruction in assembly language?
- Question #38
When analyzing a malware sample, why is it important to examine the strings contained within the binary?
- Question #39
What is the primary advantage of .NET malware for attackers?
- Question #40
What is the significance of analyzing the macro's trigger mechanism in a Microsoft Office document?
- Question #41
Which anti-analysis technique involves redirecting the execution flow of a program to unrelated instructions or loops?
- Question #42
Which tools are essential for performing static analysis on .NET malware? (Choose Two)
- Question #43
Which Windows API function is commonly used by malware to hide its presence from task managers and system monitors?
- Question #44
Which of the following tools is commonly used for basic static analysis of malware?
- Question #45
What is the primary use of a debugger in the context of unpacking malware?
- Question #46
Which fundamental static analysis techniques are used to examine malware without executing it? (Choose two)
- Question #47
Why might a malware analyst examine the conditional statements within a malware's assembly code?
- Question #48
Which of the following are reasons malware might use the VirtualAllocEx function? (Choose Two)
- Question #49
What methods do malware developers use to bypass static analysis? (Choose two)
- Question #50
What feature of PDFs can be abused to hide malicious content? (Choose Two)