Microsoft office support visual basic (VBA) macros, which give adversaries the option to automate the execution of command on any system that opens the file. These macros files are able to interact with the OS, and that is what makes them so dangerous.
These macro files can be heavily obfuscated to both evade detection and make analyzing the file difficult.

Malware can inject code into other processes by writing into target processes memory space. This enabled the malware to spy on the victim activities. It also enable the malware to infect processes from alerting the malware by cloaking the rootkit. To identify this functionality using code level involves examining the sample API calls.

Packers are tools that compress, obfuscate, encrypt or other methods to encode the original code. When the program runs it will decode the code into memory at run time. It is important that prior to starting the analysis assess whether the sample is packed, as it can alter the whole process. Analysis of packed executables is difficult because the code is encoded in such a way that makes it unreadable. Dynamic analysis of the packed program’s code is still possible, but the process is more complex, as you first have to identify the unpacking function location. This does not mean that only malware is packed, there is a legit reason for using packers, such as protecting the algorithms used in trading software. The reason the malware authors choose to pack the code is to avoid AV detection giving more time before it is detected.

The outcome of the threat research can come in one of many favors, everything from a report to new detection rules. Reporting can comes in many flavours the best I have found when it comes to incident reporting is the dfir report. You get everything you need to ensure that you are able to detect the attack in your environment.
When it comes to creating detection rules the most common are Snort, YARA and Sigma

This will make set an application on the play store to allow debug mode, This allows you to use the run-as command to gain access to the /data section for the application.
It should be noted that this method will delete the existing data on the device, as it requires the application to be uninstalled, because of mismatching signature.
The reason why you might want to make a production application debuggable is to help speed up the process the retrieving process when performing dynamic analysis, without having to perform advanced acquisition of the phone or root the device.

Drozer is a security and attack framework for Android. It allows you to perform penetration testing on the application installed on a phone by installing an agent on the device. You can download it from here.