312-50v13 Exam Dumps : Certified Ethical Hacker Exam (CEHv13)

The scenario describes a program that appears legitimate (a software update installer that “functions normally”) while secretly placing additional malicious components onto the system, which later execute to establish remote access. That is the defining behavior of a dropper. A dropper’s primary role is to deliver (drop) malware payloads onto a host—writing files to disk or unpacking embedded components—often while disguising itself as a benign application. The malicious components may then be executed immediately or staged for later activation to reduce suspicion and increase persistence.

This differs from a downloader, which typically contains minimal payload and focuses on contacting a remote server to fetch malware after initial execution. In this case, the description emphasizes that “additional malware components are silently placed on the system,” implying the payload is being installed/deposited locally by the initial program rather than primarily downloaded. An injector focuses on injecting code into another running process (process injection) to evade detection or run under another process context; it does not inherently describe the act of placing additional components as separate hidden files. A wrapper is a technique where a malicious program is bound or “wrapped” with a legitimate one so that both run; while wrappers can be used in trojanized installers, the question emphasizes the behind-the-scenes placement of additional components for later activation, which is the classic dropper behavior.

The key indicators are: (1) user executes an installer that appears normal, (2) hidden malware components are deposited without the user’s knowledge, and (3) those components later activate for remote access. That chain matches a dropper’s purpose: stealthy malware delivery and staging.

Therefore, the correct answer is D. Dropper.

This question relates to Malware Analysis, specifically PDF-based malware, as covered in the CEH v13 Malware Threats module. The presence of /JavaScript and /OpenAction keywords identified by pdfid strongly indicates potentially malicious behavior triggered when the PDF is opened.

CEH v13 recommends static analysis of PDF stream objects as the next step to understand embedded malicious logic. Tools such as PDFStreamDumper allow analysts to extract, decompress, and inspect object streams within a PDF file, revealing obfuscated JavaScript code or exploit payloads.

The /OpenAction keyword indicates that the embedded JavaScript executes automatically when the document is opened, a common technique used in PDF-based attacks to exploit reader vulnerabilities or download secondary payloads.

Other options are insufficient:

VirusTotal provides detection results but not behavioral insight.

PE Explorer is irrelevant because PDFs are not Portable Executable files.

Hashing only helps identify known malware, not analyze behavior.

CEH v13 emphasizes manual inspection of embedded scripts to determine intent, making PDFStreamDumper the correct next step.

The correct answer is A. Honey trap. In CEH social engineering concepts, a honey trap is a technique in which an attacker creates a fake attractive identity, often on social media or dating platforms, to build emotional trust with a target. The attacker then uses that trust to extract sensitive personal, corporate, or security-related information.

In this scenario, Steve created a fake social media profile and used an appealing profile picture and description to attract Stella. Once Stella accepted the request and began communicating with him, Steve gradually asked questions about her company and collected important organizational information. This matches the honey trap method because the attacker used attraction, trust, and manipulation to obtain confidential information.

Option B, diversion theft, involves redirecting deliveries or information to the wrong location. Option C, piggybacking, means gaining physical access by following an authorized person. Option D, baiting, uses an enticing object or offer, such as infected USB media, to lure victims. Therefore, the best answer is Honey trap.