diff --git a/malware/README.md b/malware/README.md
new file mode 100644
index 0000000..2beea3e
--- /dev/null
+++ b/malware/README.md
@@ -0,0 +1,82 @@
+# Malware Classification
+
+## Malware Categories
+
+All malware samples should be classified into one of the categories listed in the table below.
+
+
+- Virus
+-
+
+
- Worm
+-
+
+
- Trojan
+-
+
+
- Ransomware
+-
+
+
- Rootkit
+-
+
+
- Downloader
+-
+
+
- Adware
+-
+
+
- Spyware
+-
+
+
+
+## Obfuscation Classification
+
+All malware samples should be classified into one of the categories listed in the table below.
+
+
+- no-obfuscation
+- No obfuscation is used
-
+
- encryption
+- encryption
-
+
- oligomorphism
+- oligomorphism
-
+
- metamorphism
+- metamorphism
-
+
- stealth
+- stealth
-
+
- armouring
+- armouring
-
+
- encryption
+- encryption
-
+
- tunneling
+- tunneling
-
+
- XOR
+- XOR
-
+
- BASE64
+- BASE64
-
+
- ROT13
+- ROT13
-
+
+## Payload Classification
+
+
+## Memory Classification
+
+
+# Machine-parsable Malware Classification
+
+The repository contains a [JSON file including the machine-parsable tags](machinetag.json)
+along with their human-readable description. The software can use both
+representation on the user-interface and store the tag as machine-parsable.
+
+~~~~
+malware_classification:malware-category="virus"
+~~~~
+
+Based on:
+
+https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848
+
+
diff --git a/malware/machinetag.json b/malware/machinetag.json
new file mode 100644
index 0000000..e4bf3a6
--- /dev/null
+++ b/malware/machinetag.json
@@ -0,0 +1,162 @@
+{
+ "namespace": "malware_classification",
+ "description": "Classification based on different categories. Based on https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848",
+ "version": 1,
+ "predicates": [
+ {
+ "value": "malware-category",
+ "expanded": "Malware Category"
+ },
+ {
+ "value": "obfuscation-technique",
+ "expanded": "Obfuscation Technique"
+ },
+ {
+ "value": "payload-classification",
+ "expanded": "Payload Classification"
+ },
+ {
+ "value": "memory-classification",
+ "expanded": "Memory Classification"
+ }
+ ],
+ "values": [
+ {
+ "predicate": "malware-category",
+ "entry": [
+ {
+ "value": "Virus",
+ "expanded": "Virus"
+ },
+ {
+ "value": "Worm",
+ "expanded": "Worm"
+ },
+ {
+ "value": "Trojan",
+ "expanded": "Trojan"
+ },
+ {
+ "value": "Ransomware",
+ "expanded": "Ransomware"
+ },
+ {
+ "value": "Rootkit",
+ "expanded": "Rootkit"
+ },
+ {
+ "value": "Downloader",
+ "expanded": "Downloader"
+ },
+ {
+ "value": "Adware",
+ "expanded": "Adware"
+ },
+ {
+ "value": "Spyware",
+ "expanded": "Spyware"
+ }
+ ]
+ },
+ {
+ "predicate": "obfuscation-technique",
+ "entry": [
+ {
+ "value": "no-obfuscation",
+ "expanded": "No obfuscation is used"
+ },
+ {
+ "value": "encryption",
+ "expanded": "encryption"
+ },
+ {
+ "value": "oligomorphism",
+ "expanded": "oligomorphism"
+ },
+ {
+ "value": "metamorphism",
+ "expanded": "metamorphism"
+ },
+ {
+ "value": "stealth",
+ "expanded": "stealth"
+ },
+ {
+ "value": "armouring",
+ "expanded": "armouring"
+ },
+ {
+ "value": "encryption",
+ "expanded": "encryption"
+ },
+ {
+ "value": "tunneling",
+ "expanded": "tunneling"
+ },
+ {
+ "value": "XOR",
+ "expanded": "XOR"
+ },
+ {
+ "value": "BASE64",
+ "expanded": "BASE64"
+ },
+ {
+ "value": "ROT13",
+ "expanded": "ROT13"
+ }
+ ]
+ },
+ {
+ "predicate": "payload-classification",
+ "entry": [
+ {
+ "value": "no-payload",
+ "expanded": "No payload"
+ },
+ {
+ "value": "non-destructive",
+ "expanded": "Non-Destructive"
+ },
+ {
+ "value": "destructive",
+ "expanded": "Destructive"
+ },
+ {
+ "value": "dropper",
+ "expanded": "Dropper"
+ }
+ ]
+ },
+ {
+ "predicate": "memory-classification",
+ "entry": [
+ {
+ "value": "resident",
+ "expanded": "In memory"
+ },
+ {
+ "value": "temporary-resident",
+ "expanded": "In memory temporarily"
+ },
+ {
+ "value": "swapping-mode",
+ "expanded": "Only a part loaded in memory temporarily"
+ },
+ {
+ "value": "non-resident",
+ "expanded": "Not in memory"
+ },
+ {
+ "value": "user-process",
+ "expanded": "As a user level process"
+ },
+ {
+ "value": "kernel-process",
+ "expanded": "As a process in the kernel"
+ }
+ ]
+ }
+ ]
+}
+