GIAC Reverse Engineering Malware - GREM Exam Questions [2026]

QUESTION NO: 1
What is the primary goal of behavioral malware analysis?

A. To observe how the malware interacts with the system and network during execution B. To create malware signatures for antivirus software C. To reverse engineer the malware's assembly code D. To detect and remove malware from the system

Correct Answer: A

QUESTION NO: 2
When analyzing .NET malware, which of the following findings would be considered significant?
(Choose Three)

A. Custom attributes that seem irrelevant to the application's core functionality B. Usage of standard .NET libraries for file operations C. Presence of P/Invoke (Platform Invocation Services) calls D. Embedding of native DLLs within the .NET assembly E. Use of obfuscation to hinder decompilation

Correct Answer: C,D,E

QUESTION NO: 3
What feature of PDFs can be abused to hide malicious content? (Choose Two)

A. Layering B. Metadata C. Color profiles D. Compression algorithms

Correct Answer: A,D

QUESTION NO: 4
You are performing static analysis on a suspicious Windows executable. The file has an unusual section labeled .rsrc and imports numerous suspicious DLLs, such as advapi32.dll. What steps should you take to gather more information? (Choose three)

A. Analyze the PE header to understand the executable's structure. B. Attempt to execute the file to see if it triggers any network activity. C. Perform dynamic analysis to observe the behavior when the executable is run. D. Use a tool like Strings to extract any readable text from the binary. E. Review the imports to identify key functions that might suggest malicious behavior.

Correct Answer: A,D,E

QUESTION NO: 5
Which of the following is a common technique used to obfuscate JavaScript?

A. Avoiding the use of any external libraries B. Using extremely verbose variable and function names C. Implementing straightforward logic for code execution D. Employing hex encoding or string manipulation

Correct Answer: D

QUESTION NO: 6
What aspects should be analyzed to determine if a macro in an Office file is self-replicating?
(Choose Two)

A. The macro's interaction with the Office clipboard. B. Code snippets that duplicate the macro within the same document. C. The presence of code that modifies the startup folder. D. The macro's ability to copy itself to other documents.

Correct Answer: B,D

QUESTION NO: 7
What file structure is analyzed in the static analysis of a Windows executable?

A. ELF header B. PE header C. FAT32 D. X64 assembly

Correct Answer: B

QUESTION NO: 8
Which of the following is a common obfuscation technique used in .NET malware?

A. Code injection B. String encryption C. Process hollowing D. Packed sections

Correct Answer: B

QUESTION NO: 9
What techniques are commonly used by attackers in malicious RTF files? (Choose two)

A. Embedding shellcode in OLE objects B. Hiding malicious code in RTF metadata C. Exploiting CVE-2017-0199 D. Embedding malicious URLs in RTF comments

Correct Answer: A,C

QUESTION NO: 10
What is a key indicator that JavaScript code has been obfuscated?

A. Frequent use of JavaScript best practices B. Presence of detailed comments C. Unusual or inconsistent formatting and encoding D. Consistent use of meaningful variable names

Correct Answer: C

QUESTION NO: 11
What is the primary purpose of analyzing loops in a malware sample?

A. To determine the payload's execution frequency B. To understand the conditions for the malware's persistence or termination C. To detect the presence of cryptographic routines D. To quantify the malware's size

Correct Answer: B

QUESTION NO: 12
What is the significance of identifying obfuscated code within a macro?

A. It ensures compatibility across different Office platforms. B. It enhances the macro's performance. C. It may indicate attempts to hide malicious code from analysis. D. It typically signifies the presence of intellectual property.

Correct Answer: C

QUESTION NO: 13
You are analyzing a malware sample and notice it uses multiple JMP instructions that lead to dead code segments, making it difficult to follow the actual execution flow. What steps should you take to overcome this misdirection technique? (Choose three)

A. Patch the binary to remove unnecessary JMP instructions. B. Trace the stack during execution to identify valid code paths. C. Use dynamic analysis to observe the actual execution flow of the malware. D. Modify the binary to change the JMP instructions to NOPs. E. Analyze each JMP instruction to determine whether it leads to valid code.

Correct Answer: B,C,E