The invention discloses a webshell malicious family clustering analysis method, and relates to the technical field of information security. The method comprises the following steps: step 1, obtaining function call information, parameter values and return value information during Webshell operation; step 2, cleaning, splicing and sequencing the function call information; 3, vectorizing the function call sequence information in the step 2; 4, calculating information entropies of the parameter values and the return values, and sorting according to a function calling sequence; 5, according to the func_seq, the argv_seq and the return_seq obtained in the step 2 and the step 4, building an RNN model to predict the three types of sequences respectively, and learning code family features; 6, after minhash processing is carried out on the original sequence data and the predicted sequence data, mapping the original sequence data and the predicted sequence data into pixel points, and thus, a pixel map is formed; 7, superposing the original pixel image obtained in the step 6 and the predicted pixel image, and drawing a final pixel image; and step 8, clustering the pixel image obtained in the step 7 by using a DBSCAN clustering algorithm.