In the face threat of the Internet attack, malware classification is one of the promising solutions in the field of intrusion detection and digital forensics. In previous work, researchers performed dynamic analysis or static analysis after reverse engineering. But malware developers even use anti-virtual machine(VM) and obfuscation techniques to evade malware classifiers. By means of the deployment of honeypots, malware source code could be collected and analyzed. Source code analysis provides a better classification for understanding the purpose of attackers and forensics. In this paper, a novel classification approach is proposed, based on content similarity and directory structure similarity. Such a classification avoids to re-analyze known malware and allocates resources for new malware. Malware classification also let network administrators know the purpose of attackers. The experimental results demonstrate that the proposed system can classify the malware efficiently with a small misclassification ratio and the performance is better than virustotal. In the face threat of the Internet attack, malware classification is one of the promising solutions in the field of intrusion detection and digital forensics. Previous work, researchers performed dynamic analysis or static analysis after reverse engineering. But malware developers even use anti-virtual By means of the deployment of honeypots, malware source code could be collected and analyzed. Source code analysis provides a better classification for understanding the purpose of attackers and forensics. In this paper, a novel classification approach is proposed, based on content similarity and directory structure similarity. Such an classification avoids to re-analyze known malware and allocates resources for new malware. The experimental results demonstrate that the proposed system can classify the malware efficiently with a smal l misclassification ratio and the performance is better than virustotal.