A wrapper is the most accurate choice because it describes a technique where a legitimate program is bundled together with a malicious payload so that, when the user launches what appears to be a normal installer or application, both the real software and the malware run. CEH materials commonly explain wrappers in the context of Trojanization: the attacker “wraps” a trusted executable or installer with an additional hidden component. This preserves normal functionality to avoid suspicion while still achieving covert execution of the malicious code. In the scenario, the PDF converter installs and works as expected, but a hidden executable runs silently and begins outbound communication—this is classic wrapper behavior designed to maintain user trust and reduce detection through normal user experience.

The other options do not fit as well. A downloader is malware whose primary purpose is to fetch additional payloads from the network; while outbound communication occurs here, the scenario emphasizes bundling and simultaneous execution with a legitimate installer, not primarily downloading. A packer is used to compress/obfuscate an executable to evade signature-based detection; it changes how a binary looks, but it does not inherently describe combining a legitimate installer with another payload. A dropper is designed to deliver and install malware onto a system, often extracting the payload; however, the hallmark detail here is that the legitimate application runs normally while the malicious component is hidden within the same package, which aligns more precisely with a wrapper/Trojanized installer.

Defensively, CEH recommends controls such as application allowlisting, verifying digital signatures and hashes, using trusted software repositories, endpoint detection and response, and monitoring unusual outbound connections after software installation