A polymorphic virus is specifically designed to change its code appearance while keeping the same underlying functionality, which aligns exactly with the scenario. In CEH terms, polymorphism allows malware to mutate its decryptor routine, instruction ordering, register usage, junk code insertion, and other syntactic elements every time it propagates or executes. This causes each instance to look different at the binary level, producing different hashes and signatures, even though the malicious payload and behavior remain the same. That is why the security team sees inconsistent antivirus detection and why “traditional hash-based comparison” fails. The key indicator is that static analysis shows the “underlying logic remains unchanged,” but “code patterns vary unpredictably,” which is the hallmark of polymorphism: behavior stays consistent, signature changes.

The other options do not fit as well. A cavity virus typically hides by inserting itself into unused spaces within legitimate executable files to avoid changing the overall file size, but it does not inherently generate unpredictable code variants per infection. A macro virus primarily targets macro-enabled documents and spreads through document templates and user actions, which is not suggested here. A stealth virus focuses on evading detection by intercepting system calls and hiding its presence, such as returning “clean” file reads, but it does not necessarily produce many structurally different binaries that break hash matching. Therefore, the most likely cause of the described outbreak is a polymorphic virus.