Common PDF dictionary used inside malicious PDF are /Author, /Producer, /Title, and /Subject which use reference from this.info.author, this.info.producer, this.info.title, and this.info.subject respectively.
this /* means that in this very own PDF file */
info /* which refer to the object of /Info */
title /* which refer to the /Title object reference */
However, recently, I’ve stumbled upon a PDF dictionary that is not defined inside the PDF Reference. By reading through its reference variable, this.info.autor, it is certain that the obfuscated malicious code reside in the object referenced at /autor.
Check the trailer dictionary (usually at the end of PDF content) to view the object number referenced to /Info. In this case, object 9 0 R
From object 9 0, we know /autor is reference to content inside object 5 0 R