Common PDF dictionary used inside malicious PDF are /Author, /Producer, /Title, and /Subject which use reference from this.info.author, this.info.producer, this.info.title, and this.info.subject respectively.
The PDF dictionary mentioned above are located inside the /Info referenced object. This can be identified from the reference variable above (e.g: this.info.title) used inside JavaScript code. For instance;
this /* means that in this very own PDF file */
.
info /* which refer to the object of /Info */
.
title /* which refer to the /Title object reference */
However, recently, I’ve stumbled upon a PDF dictionary that is not defined inside the PDF Reference. By reading through its reference variable, this.info.autor, it is certain that the obfuscated malicious code reside in the object referenced at /autor.
Check the trailer dictionary (usually at the end of PDF content) to view the object number referenced to /Info. In this case, object 9 0 R
From object 9 0, we know /autor is reference to content inside object 5 0 R