Take an example from other reports and emulate them. You probably have seen some before.
The most important part is to have a proper list of hashes at one place. That's because reports without them are pretty much useless.
Commonly it is placed at the very end, and usually you provide hashes as SHA256.
If there are many hashes, sort them alphabethically.
Make sure that the hashes can be copied, they should not be an image in a PDF or similar, but actual text.
If you include malware code, do not put that as text, but as image. You don't want an antivirus product to think there is actual malware code in your document.
You can have an introduction to state the purpose of the report. Depends what it is for.
Make sure that at each point of your report it is clear which samples you are currently analysing. E.g., I do that by using references that point to your hash listing at the end of the report.
Be short, to the point and technically precise. That's more important than language that sounds nice. Remove words and sentences that are only fillers or don't tell anything important.
If you make assumptions instead of stating facts, make it clear that these are only assumptions. E.g. you might see Russian text in a malware and say something like "The developer is Russian". That's an assumption, not a fact. It might just be a person who used Google translate or speaks Russian as second language. Prefer to stay with facts and if you want to state assumptions, make it clear that they aren't facts.
Verify your statements by providing resources, links or any other kind of proof.
If anyone helped you with parts of your work, state that.
Do not mock the threat actors. It's tempting and I am guilty of this myself, but it doesn't do any good, nor is it professional.