GREM Exam Questions
192 real GREM exam questions with expert-verified answers and explanations. Page 2 of 4.
- Question #51
Which of the following are common execution flow control mechanisms in assembly language? (Choose Two)
- Question #52
Which of the following is a common technique used to obfuscate JavaScript?
- Question #53
What is a key sign that a macro in a Microsoft Office document might be malicious?
- Question #54
What is the most effective method for analyzing obfuscated malware that uses dynamic code generation?
- Question #55
What assembly constructs could malware use to complicate static analysis? (Choose Three)
- Question #56
What behaviors in a PDF file could indicate malicious intent? (Choose two)
- Question #57
You are reverse-engineering a malware sample and observe that the executable checks for the presence of a debugger before launching its malicious payload. How would you proceed to...
- Question #58
Which static analysis techniques are commonly used to investigate malware? (Choose two)
- Question #59
Which of the following file attributes can be considered a static property when analyzing malware?
- Question #60
When a malware analyst encounters the use of system calls within a malware sample's assembly code, what is the significance?
- Question #61
What is a common anti-analysis technique that involves redirecting the malware's execution flow?
- Question #62
Why might malware use indirect jumps and calls as part of its execution flow?
- Question #63
Analyzing the decompressed content of an RTF file is essential for what reason?
- Question #64
In malware analysis, why is it important to identify the packer used in a malware sample?
- Question #65
Which methods are commonly used by malware authors to obfuscate their code? (Choose two)
- Question #66
Which technique is commonly used to obfuscate strings in malware?
- Question #67
You are analyzing a suspicious Office document received as an email attachment. Upon opening, you notice the document attempts to run a macro that accesses external servers and mak...
- Question #68
What aspects should be analyzed to determine if a macro in an Office file is self-replicating? (Choose Two)
- Question #69
Which of the following is a common technique used by attackers to exploit vulnerabilities in RTF files?
- Question #70
You are investigating a suspicious .NET malware sample that uses encrypted strings to hide its payload. You've identified the decryption routine. How would you proceed with the ana...
- Question #71
Which of the following is a sign that a malware sample is packed?
- Question #72
Which of the following is a common persistence mechanism used by malware?
- Question #73
When analyzing .NET malware, which of the following findings would be considered significant? (Choose Three)
- Question #74
In the context of malware analysis, what is the significance of identifying a call to the CreateProcess function with the CREATE_SUSPENDED flag?
- Question #75
Which of the following would be considered an advanced static analysis technique?
- Question #76
Which elements within an RTF document are critical to review for signs of exploitation or malicious activity? (Choose Two)
- Question #77
What is the primary purpose of analyzing loops in a malware sample?
- Question #78
Which of the following API calls is commonly used by malware to download additional payloads?
- Question #79
What role do conditional statements like CMP and JE play in malware flow control?
- Question #80
Which of the following actions should be scrutinized while analyzing macros in suspicious Office files? (Choose Two)
- Question #81
In the context of Office macros, what does the term "persistence" refer to?
- Question #82
Which technique can be utilized to hide malicious macro code within an Office document?
- Question #83
In the context of RTF file analysis, what purpose does examining hexadecimal content serve?
- Question #84
You are performing static analysis on a suspicious Windows executable. The file has an unusual section labeled .rsrc and imports numerous suspicious DLLs, such as advapi32.dll. Wha...
- Question #85
The use of which API function might indicate that malware is attempting to modify system-level settings or interfere with system processes?
- Question #86
Which Windows process is often targeted by malware for process injection techniques?
- Question #87
What is the significance of finding extensive use of System.Reflection namespace in a .NET malware sample?
- Question #88
Which approach can help in bypassing malware that employs timing checks to detect analysis tools?
- Question #89
What technique can be employed to analyze the behavior of a suspicious PDF without executing any malicious code?
- Question #90
Why would malware authors use the LoadLibrary API call within their code? (Choose Two)
- Question #91
What tool is commonly used to decompile .NET binaries for analysis?
- Question #92
Which of the following statements is true when dealing with malware that employs misdirection through code restructuring?
- Question #93
What is one way to investigate if a macro in an Office document is malicious?
- Question #94
Which register in x86 assembly is typically used to store the return value of a function?
- Question #95
In the analysis of a suspicious Office file's macro, which of the following elements would be crucial to investigate? (Choose Three)
- Question #96
Why would an analyst examine the timestamps within the metadata of a suspected malware file?
- Question #97
Which tool can be used to monitor network traffic during behavioral analysis of a malware sample?
- Question #98
You are analyzing a suspicious RTF file that is suspected of exploiting a buffer overflow vulnerability. The file contains multiple embedded OLE objects, and the content appears ob...
- Question #99
In assembly language analysis, what is typically the purpose of the EBP register within a function?
- Question #100
Which of the following are commonly observed behaviors in malware during behavioral analysis? (Choose two)