Settings, docs, billing, and scan history
Generate your API key, top up active months, search persisted scan records, and review the technical scan breakdown returned by the Malpulver API.
API key
Malpulver stores only a hashed version of your key. When a new key is generated or rotated, you see the raw value once.
Top up active months
Active API access is month-based. Spend Olexar credits here to extend the account.
Endpoints
Send a multipart file using field name file. Search persisted history with the scan records endpoint.
Integration & scan details
Malpulver currently performs a static, heuristic file scan. It inspects the uploaded bytes, file structure, metadata, extracted text, and format-specific indicators without executing the sample. Every scan is also persisted for later search by hash, filename, verdict, tag, and date.
Use the Credits tab to manage your Olexar balance.
Use the month top-up buttons in Settings. While the account is active, the external upload endpoint works.
Send X-API-Key and a multipart file to the upload endpoint and consume the returned structured scan object.
Response shape
Top-level result
The scan returns identity, verdict, tags, findings, metadata, analysis, raw byte metrics, and a persisted record ID.
Verdict model
FINE, SUSPICIOUS, or ERROR, plus a pipeline state and summary message.
Developer fields
Use findings, tags, analysis, and rawByteStats for routing and review logic.
{
"scanRecordId": 42,
"requestId": "uuid",
"fileName": "sample.pdf",
"contentType": "application/pdf",
"detectedMediaType": "application/pdf",
"sizeBytes": 12345,
"sha256": "…",
"sha1": "…",
"md5": "…",
"verdict": "FINE | SUSPICIOUS | ERROR",
"pipelineState": "COMPLETED | FAILED",
"message": "FINE",
"findings": [
"PDF contains active-content or action markers."
],
"tags": [
"pdf",
"pdf-actions"
],
"metadata": {
"contentTypeHeader": "application/pdf",
"detectedMediaType": "application/pdf",
"extension": "pdf",
"tikaDetectedType": "application/pdf",
"parsedContentType": "application/pdf",
"tikaMetadata": { }
},
"rawByteStats": {
"overallEntropy": 0,
"nullByteRatio": 0,
"printableAsciiRatio": 0,
"longestRepeatedByteRun": 0,
"serialCorrelation": 0,
"byteDistributionSkew": 0,
"averageWindowEntropy": 0,
"maxWindowEntropy": 0,
"minWindowEntropy": 0,
"topByteFrequencies": [ ]
},
"analysis": {
"fileNamePatterns": { },
"tika": { },
"generic": { },
"pdf": { },
"heuristic": { }
}
}
What the current scan engine inspects
Identity & type checks
- Normalizes the upload filename and records original metadata.
- Computes
SHA-256,SHA-1, andMD5digests. - Detects media type using file bytes and filename, including Apache Tika detection.
- Compares filename extension, client content type, parsed content type, and observed file structure.
Filename deception analysis
- Multiple extensions and deceptive double extensions such as document-like names ending in executable payloads.
- Bidirectional override characters that can visually disguise dangerous filenames.
- Trailing spaces or dots, leading-dot hidden names, and shortcut or link-style extensions.
- Executable, script-like, and archive-style extension classification.
Raw byte statistics
- Overall entropy and sliding-window entropy.
- Null-byte ratio, printable ASCII ratio, longest repeated byte run.
- Serial correlation and byte distribution skew.
- Top byte-frequency preview for packed, binary-heavy, or unusual payload patterns.
Text & metadata extraction
- Uses Apache Tika to extract text excerpts and structured metadata where possible.
- Searches extracted text and metadata for execution, downloader, persistence, obfuscation, Office auto-run, and suspicious URL-scheme indicators.
- Stores parsed metadata and text-derived signal hits in the response.
Archive inspection
- ZIP-like and RAR archive preview with entry sampling.
- Checks for encrypted archives, nested archives, executable and script payloads, link files, hidden executable names, and suspicious entry names.
- Flags path traversal and absolute-path archive entries.
Document & web content analysis
- Office: VBA/macros, ActiveX, embedded objects, package parts, OLE object pools, and external links.
- PDF: JavaScript markers, open actions, launch actions, embedded files, XFA, URIs, remote references, encryption, and text excerpts.
- HTML: scripts, external scripts, hidden iframes, forms, embeds, meta refresh, inline event handlers, suspicious URL schemes, downloader and obfuscation indicators.
Image & metadata analysis
- Reads image metadata directories and preview tags.
- Flags GPS metadata presence.
- Searches metadata previews for execution strings, suspicious schemes, and obfuscation markers.
Executable & runtime-aware analysis
- PE/Windows: MZ header, PE signature, section count, machine type, and PortEx-assisted parsing.
- ELF/Linux: ELF class, endianness, machine type, and JELF parsing attempts.
- JVM:
.classmetadata, JAR/WAR/EAR manifest fields, Java-agent capability, class counts, package counts, and class previews. - Android: APK entry inspection, DEX counts, native libraries, executable-like assets, DEX header fields, and dexlib loading attempts.
How verdicts are produced
The current engine is binary-verdict heuristic logic. It promotes observed signals into
high-confidence and medium-confidence patterns. The final result becomes SUSPICIOUS when at least one
high-confidence pattern is present, or when enough medium-confidence patterns accumulate. Otherwise the file is returned as FINE.
High-confidence examples
Deceptive double extensions, executable disguise mismatches, dangerous PDF launch behavior, path traversal archives, or strong multi-signal combinations.
Medium-confidence examples
Macros, suspicious URL schemes, downloader strings, injection APIs, encrypted archives, hidden iframes, or packed-like byte structure.
Developer usage
Treat verdict as the primary gate, and use findings plus analysis.heuristic for analyst context and custom rules.
Best-fit environment for this scan
Recommended placement
- At the upload edge before a file is stored permanently, previewed, unpacked, or passed to workers.
- Inside a moderation, approval, or quarantine flow for user-submitted content.
- As a synchronous gate for immediate block/allow decisions on standard uploads.
Recommended handling flow
- Upload to a temporary/quarantine area first.
- Send the file to Malpulver.
- Allow
FINEfiles to continue into your normal storage or processing flow. - Route
SUSPICIOUSfiles to quarantine, analyst review, or secondary scanning.
Good engineering practice
- Do not trust the client filename or MIME type alone.
- Store the returned hashes for audit, deduplication, and future blocklists.
- Persist findings and tags so you can explain why a file was blocked.
- Search your stored records later by hash, filename, verdict, tag, or date.
- Apply separate size limits, auth, rate limits, and storage isolation in your own environment.
Scope notes
- This is a static inspection layer, not a sandbox or runtime detonation system.
- It does not claim to prove a file is safe; it identifies observable risk signals from the current scan context.
- For stronger defense, combine Malpulver with quarantine workflows, secondary AV, and downstream business rules.
Search scan records
Search your stored Malpulver scan records by hash, filename, verdict, tag, and date range. Results are limited to your own account.
💳 Buy Credits
Safe, secure checkout. Your balance updates after payment.
Add Credits
🧾 Transaction History
How are credits calculated?
Every $1 AUD = 10,000 credits. If you buy $10, you receive 100,000 credits.
What payment methods are accepted?
Major cards and wallets supported by Stripe.
Refunds and disputes
See our Refund policy.