A new campaign has been distributing the IcedID banking trojan since the past week. Usually, IcedId is spread via malspam that pushes different Word docs from links which contain IcedID. The malware is executed when a user enables content or macros for these files. Below is the usual infection flow for IcedID.
If the email recipient opened the document and enabled macros, the end result would be the installation of the IcedID Trojan. Persistence is achieved using a scheduled task. IcedID will inject implants into web browsers in order to steal financial information. It also steals other information such as credentials from various applications and cookies. IcedID can also, on instructions from its C&C server, install additional malware.