non-ghidra example, but just the other week I was pulling apart a commercial phishing kit that had implemented its own version of AES in javascript, and then created a kind of conceptual virtual file system based on nested layers of b64 and a "custom" rot-20k encoding that turned everything into unicode, where one blob was the image with offsets, and then different parts of the malware would be pulled out and decoded and decrypted at runtime - rendering the static analysis that AV and WAF tools do useless.

I used a REPL to manually do the steps you describe dynamically, but doing it statically means writing a decoder. You really need a proper sandbox to do dynamic analysis becase you don't know what's going to actually detonate, whereas static analysis gives you a whif of how off it seems, and that's sufficient for most security and privacy purposes. It was also common in Android apps several years ago now, not sure what the current state of the art is though. Android isn't my problem anymore.

Officially, I suck at this and I defer to more skilled people because I am a much better writer than hacker, but when they aren't around, you go to war with the army you have. :)