Question 6 - ECcouncil CHFI 312-49v10 Real Exam Questions [April 2026 Update]

Q: 6

Shane has started the static analysis of a malware and is using the tool ResourcesExtract to find more details of the malicious program. What part of the analysis is he performing?

Options

Discussion

Aaron R. Mar 21, 2026 3:38 am

Option B makes sense. ResourcesExtract pulls embedded resources and string tables from executables, which lines up with a static strings search. Pretty sure about this, not dynamic since he isn’t running the malware. Agree?

Robin Mar 29, 2026 5:38 am

B is what I'd pick, since ResourcesExtract pulls out strings and readable data from executables during static analysis. It's not really mapping dependencies, more just extracting info you can scan for IOCs. Pretty sure about this, but if someone thinks A fits better let me know.

Avery S. Mar 29, 2026 12:44 pm

B saw a similar question in exam reports and ResourcesExtract always points to string searching not dynamic stuff.

Mason R. Apr 6, 2026 12:23 pm

Cameron E. Mar 25, 2026 2:34 am

Its B. ResourcesExtract pulls out strings and resources from executables, so this would be a static strings search. If it was dynamic analysis we'd need to execute the malware, which isn't the case here.

Reese F. Mar 28, 2026 1:38 pm

B , pretty sure from practice tests and the official guide, but open to other ideas.

Ava Apr 4, 2026 3:48 am

Why not C here? Static analysis means the code isn't run, which doesn't fit dynamic.

MethodicalSec2200 Apr 8, 2026 12:19 am

I don't think it's A here. ResourcesExtract is mostly used for string extraction in static analysis, not for listing dependencies. B makes more sense since that's its main function with malware samples.

Rowan Apr 8, 2026 12:54 pm

Its B. ResourcesExtract is for pulling out strings or embedded resources, not file dependencies. A feels like a trick option here.

Anita Mar 20, 2026 2:56 am

B tbh, ResourcesExtract is mainly used to pull strings or readable resources during static analysis. Dependency mapping is more for things like Dependency Walker, not this tool. Makes sense if you look at what static analysis usually targets.

Be respectful. No spam.

Correct Answer:

Explanation

The question describes Shane performing static analysis using the tool ResourcesExtract. This tool is specifically designed to scan executable files (e.g., EXE, DLL) and extract embedded resources. Among the resources it can extract are icons, version information, and, crucially, string tables. The process of extracting and examining these string tables for human-readable text is a form of "Strings search." This is a fundamental technique in static malware analysis used to uncover potential indicators of compromise (IoCs) like IP addresses, URLs, file paths, or commands without executing the code.

Why Incorrect

A. Identifying File Dependencies: This is typically done by analyzing the PE header's import table with tools like Dependency Walker or PE-bear, not by extracting resources.

C. Dynamic analysis: This involves running the malware in a controlled environment to observe its behavior. The question explicitly states Shane is performing static analysis.

D. File obfuscation: This is a technique used by malware authors to hide code. The analyst's job is to de-obfuscate, not perform obfuscation.

---

References

1. Official Vendor Documentation: NirSoft, the creator of ResourcesExtract, describes the tool's function: "ResourcesExtract is a small utility that scans dll/exe files and extract all resources (bitmaps, icons, cursors, AVI files, HTML files, String Table, and more) from them into the folder that you specify."

Source: Nir Sofer, "ResourcesExtract v1.26," NirSoft.net. Retrieved from https://www.nirsoft.net/utils/resourcesextract.html (Accessed on the latest date).

2. Academic/Courseware Reference: The widely-used textbook in computer security and malware analysis courses, "Practical Malware Analysis," details the steps of basic static analysis. It dedicates sections to analyzing strings and the PE file resource section, confirming that examining resources for strings is a key part of the process.

Source: Sikorski, M., & Honig, A. (2012). Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press. (See Chapter 5: "Basic Static Analysis," specifically the sections on "The PE File Headers and Sections" and "Analyzing Strings").

3. University Courseware: SANS Institute, a reputable institution for cybersecurity education, outlines static analysis techniques in its malware analysis courses (e.g., FOR610). Analyzing strings and resources are core components of the "Basic Static Analysis" phase.

Source: SANS Institute. (2023). FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques. Course Syllabus and Materials. The methodology taught consistently places string and resource analysis as a primary step in static analysis.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE