I suppose the malware can simply track whether you have wallet software installed and only then it would check the printer memory? I was reading an article yesterday. Apparently even the pass phrase is not save anymore since they can just take a screenshot of the screen.
yeah well if you have a keylogger they can simply notice and record every action you take such as keys you press on your keyboard, what you see on your screen, clicks of your mouse,... this is actually why air-gapped machines are used for generating your private keys and notion of cold storage exists
https://en.bitcoin.it/wiki/Cold_storage