Perhaps you are confusing file analysis and process analysis.
DLL and EXE have the same format (PE executable), so at the level of parsing a DLL file, it is practically no different from parsing an EXE. Known signatures are looked for - hashes, byte sequences, or behavioral ones, such as a specific sequence or combination of instructions or system calls. Decompilation is needed only for manual analysis. Whether or not the antivirus will be able to recognize the threat depends on whether the required signature or heuristic is in the databases. Something like pseudo-code execution can be used to analyze behavior at the file level, but this is not the same as process analysis, in which system calls are intercepted and analyzed in real time, in particular which files are being accessed.

Yes, he can.