The invention provides an automatic analysis method and system of malicious codes based on an API (application program interface) HOOK. An API HOOK technology and a remote thread implantation technology are utilized to monitor samples; influences of the malicious codes on the whole system in an operation process are recorded, and a dynamic analysis report is automatically generated; influences of malicious code samples on a file, a network, and a registry and a key process are recorded, and when the operation of the samples ends, the system recovers the state before the samples are executed; the whole monitoring, recording and reduction process ends automatically without manual intervention; monitoring software can only run a sample each time, the monitoring software is used for monitoring the host process of the samples and process threads created by the host process of the samples, and when the monitoring software finishes the monitoring, the system recovers the state before the samples are operated; behaviors such as creation, deletion, modification and the like of the malicious code samples on the file are detected, operation behaviors of the malicious code samples on the network are detected, behaviors such as addition, deletion, modification and the like of the malicious code samples on the registry are detected, and operation behaviors of the malicious code samples on the create process are detected; and finally the dynamic monitoring report on the malicious code samples is submitted, and when the monitoring is finished, the monitoring software carries out inversion operation to restore the system to the state before the samples are operated according to the operations and influences of the samples on an operating system. The intelligent analysis technology of the malicious codes is suitable for analyzing a great deal of samples without the manual intervention, and is quicker in analysis speed and less in garbage in the analysis report.