Attacker modified a legitimate executable that is part of “Symantec Endpoint” The well-known IDA Pro disassembler has trouble displaying the modification as we will show later in this post. We will present a way to identify this kind of modification and the limitation in this approach. The last instruction to jump to the malicious code is in fact JMP (JMP) by patching the address of the end of the function (0xF6D3) by replacing the 0xF5D3 by 0xD7. We assume IDA uses the pdata section to retrieve the end and the beginning of the runtime functions.”]
Source: https://blog.talosintelligence.com/2017/10/disassembler-and-runtime-analysis.html