Malpulver

Developer hub

Settings, docs, billing, and scan history

Generate your API key, top up active months, search persisted scan records, and review the technical scan breakdown returned by the Malpulver API.

Inactive Uploads enabled

Account

Email —

Status —

Active until —

Price —

Allow upload requests for this account

API key

Malpulver stores only a hashed version of your key. When a new key is generated or rotated, you see the raw value once.

Current stored key

—

Top up active months

Active API access is month-based. Spend Olexar credits here to extend the account.

Endpoints

Send a multipart file using field name file. Search persisted history with the scan records endpoint.

Upload endpoint

—

Search endpoint

—

Integration & scan details

Malpulver currently performs a static, heuristic file scan. It inspects the uploaded bytes, file structure, metadata, extracted text, and format-specific indicators without executing the sample. Every scan is also persisted for later search by hash, filename, verdict, tag, and date.

Static analysis Structured JSON Format-aware Heuristic verdict Stored history

Buy Olexar credits

Use the Credits tab to manage your Olexar balance.

Convert credits into Malpulver months

Use the month top-up buttons in Settings. While the account is active, the external upload endpoint works.

Upload files

Send X-API-Key and a multipart file to the upload endpoint and consume the returned structured scan object.

cURL

JavaScript

Python

Java

What you get back

Response shape

Top-level result

The scan returns identity, verdict, tags, findings, metadata, analysis, raw byte metrics, and a persisted record ID.

Verdict model

FINE, SUSPICIOUS, or ERROR, plus a pipeline state and summary message.

Developer fields

Use findings, tags, analysis, and rawByteStats for routing and review logic.

Abridged response example

{
  "scanRecordId": 42,
  "requestId": "uuid",
  "fileName": "sample.pdf",
  "contentType": "application/pdf",
  "detectedMediaType": "application/pdf",
  "sizeBytes": 12345,
  "sha256": "…",
  "sha1": "…",
  "md5": "…",
  "verdict": "FINE | SUSPICIOUS | ERROR",
  "pipelineState": "COMPLETED | FAILED",
  "message": "FINE",
  "findings": [
    "PDF contains active-content or action markers."
  ],
  "tags": [
    "pdf",
    "pdf-actions"
  ],
  "metadata": {
    "contentTypeHeader": "application/pdf",
    "detectedMediaType": "application/pdf",
    "extension": "pdf",
    "tikaDetectedType": "application/pdf",
    "parsedContentType": "application/pdf",
    "tikaMetadata": { }
  },
  "rawByteStats": {
    "overallEntropy": 0,
    "nullByteRatio": 0,
    "printableAsciiRatio": 0,
    "longestRepeatedByteRun": 0,
    "serialCorrelation": 0,
    "byteDistributionSkew": 0,
    "averageWindowEntropy": 0,
    "maxWindowEntropy": 0,
    "minWindowEntropy": 0,
    "topByteFrequencies": [ ]
  },
  "analysis": {
    "fileNamePatterns": { },
    "tika": { },
    "generic": { },
    "pdf": { },
    "heuristic": { }
  }
}

Technical breakdown

What the current scan engine inspects

Identity & type checks

Normalizes the upload filename and records original metadata.
Computes SHA-256, SHA-1, and MD5 digests.
Detects media type using file bytes and filename, including Apache Tika detection.
Compares filename extension, client content type, parsed content type, and observed file structure.

Filename deception analysis

Multiple extensions and deceptive double extensions such as document-like names ending in executable payloads.
Bidirectional override characters that can visually disguise dangerous filenames.
Trailing spaces or dots, leading-dot hidden names, and shortcut or link-style extensions.
Executable, script-like, and archive-style extension classification.

Raw byte statistics

Overall entropy and sliding-window entropy.
Null-byte ratio, printable ASCII ratio, longest repeated byte run.
Serial correlation and byte distribution skew.
Top byte-frequency preview for packed, binary-heavy, or unusual payload patterns.

Text & metadata extraction

Uses Apache Tika to extract text excerpts and structured metadata where possible.
Searches extracted text and metadata for execution, downloader, persistence, obfuscation, Office auto-run, and suspicious URL-scheme indicators.
Stores parsed metadata and text-derived signal hits in the response.

Archive inspection

ZIP-like and RAR archive preview with entry sampling.
Checks for encrypted archives, nested archives, executable and script payloads, link files, hidden executable names, and suspicious entry names.
Flags path traversal and absolute-path archive entries.

Document & web content analysis

Office: VBA/macros, ActiveX, embedded objects, package parts, OLE object pools, and external links.
PDF: JavaScript markers, open actions, launch actions, embedded files, XFA, URIs, remote references, encryption, and text excerpts.
HTML: scripts, external scripts, hidden iframes, forms, embeds, meta refresh, inline event handlers, suspicious URL schemes, downloader and obfuscation indicators.

Image & metadata analysis

Reads image metadata directories and preview tags.
Flags GPS metadata presence.
Searches metadata previews for execution strings, suspicious schemes, and obfuscation markers.

Executable & runtime-aware analysis

PE/Windows: MZ header, PE signature, section count, machine type, and PortEx-assisted parsing.
ELF/Linux: ELF class, endianness, machine type, and JELF parsing attempts.
JVM: .class metadata, JAR/WAR/EAR manifest fields, Java-agent capability, class counts, package counts, and class previews.
Android: APK entry inspection, DEX counts, native libraries, executable-like assets, DEX header fields, and dexlib loading attempts.

Heuristic decisioning

How verdicts are produced

The current engine is binary-verdict heuristic logic. It promotes observed signals into high-confidence and medium-confidence patterns. The final result becomes SUSPICIOUS when at least one high-confidence pattern is present, or when enough medium-confidence patterns accumulate. Otherwise the file is returned as FINE.

High-confidence examples

Deceptive double extensions, executable disguise mismatches, dangerous PDF launch behavior, path traversal archives, or strong multi-signal combinations.

Medium-confidence examples

Macros, suspicious URL schemes, downloader strings, injection APIs, encrypted archives, hidden iframes, or packed-like byte structure.

Developer usage

Treat verdict as the primary gate, and use findings plus analysis.heuristic for analyst context and custom rules.

Deployment guidance

Best-fit environment for this scan

Recommended placement

At the upload edge before a file is stored permanently, previewed, unpacked, or passed to workers.
Inside a moderation, approval, or quarantine flow for user-submitted content.
As a synchronous gate for immediate block/allow decisions on standard uploads.

Recommended handling flow

Upload to a temporary/quarantine area first.
Send the file to Malpulver.
Allow FINE files to continue into your normal storage or processing flow.
Route SUSPICIOUS files to quarantine, analyst review, or secondary scanning.

Good engineering practice

Do not trust the client filename or MIME type alone.
Store the returned hashes for audit, deduplication, and future blocklists.
Persist findings and tags so you can explain why a file was blocked.
Search your stored records later by hash, filename, verdict, tag, or date.
Apply separate size limits, auth, rate limits, and storage isolation in your own environment.

Scope notes

This is a static inspection layer, not a sandbox or runtime detonation system.
It does not claim to prove a file is safe; it identifies observable risk signals from the current scan context.
For stronger defense, combine Malpulver with quarantine workflows, secondary AV, and downstream business rules.