In recent years, the speed of malware production has grown rapidly, and the threat to individuals and businesses has increased. If we understand the attack techniques used by malware to achieve their malicious purposes, we can directly detect and defend against malware. Although anti-virus vendors try to explain the impact and threat of malware to the security experts by labels. However, [3] pointed out that each Anti-Virus vendor has its own labeling criteria and basis, and many of them are inconsistent. According to [11], although the malware belonging to the same label, their behavior are still quite diverse. It indicates that the currently proposed label does not have a semantic explanatory power. Therefore, this thesis proposes to examine a sequence of API call invocations, and extracts a sequence of activity groups from the execution sequence. After extracting the activity groups, we refer to the attack technique under the MITRE ATT&CK framework, and give each activity group one semantic description tag, and finally get a sequence of semantic description tag. A sequence of semantic description tags can clearly show the execution intent of each stage of execution activities and the purpose of the malware, thereby providing a deep and clear description of the malicious activity of the malware family.