The US Postal Inspection Service has a page about these scams, and they encourage you to report them directly to them (not just your carrier): Smishing: Package Tracking Text Scams – United States Postal Inspection Service
You can email the spam message to spam@uspis.gov
Any software that gets regular security updates (like Firefox and Chrome) is going to be as safe as you can reasonably expect. That, plus not opening random pdfs will go a long way.
The fact that it’s addressed to “Dearcustomer” is also a nice giveaway.
Unless you are a member of the Dearcustomer family.
Well, not just that, but my understanding is that they rasterize the PDF into a HTML canvas (which might mean it’s not subject to the same buffer overflow, etc. bugs that a desktop PDF reader might have?), doesn’t run embedded scripts (as far as I know), and miiiiiight be somehow tied into the browser security model (I’m not sure about this, but if it is, they’re some of the most hardened software out there… would definitely trust a browser more than anything Adobe or Microsoft).
The odds of hackers breaking into a transit hut to replace their maps with viruses are slim to none. It’s a lot easier to send out millions of fake emails and texts like the one OP posted.
Dearcustomer is my uncle, or Uncle DC as we like to call him. I better forward it to him.
Usually yes, a dangerous link is the most common security threat you’re going to run into, whether you’re talking about an attachment in a scam message or the content of the message itself.
But a PDF can and in the past has had malicious code in it (not just a link to a site trying to steal info). So yes, the actual PDF itself is a potential risk (which is the point of this thread).
You’re correct that phishing attempts are usually the most common threat. So freaking common it’s ridiculous.
PM me your cell number and I’ll forward it to you. When you click on the PDF let us know what happens. We’re all curious! 
I often do this with known spam, just to see what happens. I’m on a Mac, and 90+% of malware is designed to target Win. Most of the time it tries to load a dodgy webpage, and often it’s already been blocked by Cloudflair.
I agree that the wording is weird. But yes, depending on the user’s naïveté level, all these concepts can be involved in scams and infections.
Concerning dot-com files: MS-DOS had two main program file formats: .EXE and .COM . You can imagine, in 1997, receiving a nicely-spoofed email with an attachment called “eBay.com” and double-clicking it, thinking it would bring you to the eBay site. This would instead execute the program in question on the local machine. Windows supported MS-DOS .COM programs directly until at least Windows XP, and the lack of User Account Control back then meant that you were probably running the malicious program with full administrator control. This was mostly a problem in the 1994-2005 timeframe. Then email providers and clients added filters against .COM attachments, Windows added some mechanisms to warn users or block execution, etc.
One of the first things I learned about computers on my own after Dad decided it was safe to let me use it unsupervised was- if a file has the ending EXE, COM, or BAT then typing it’s name at the command prompt will make it run.
The OP (perhaps inadvertently) raises two key points about malware.
Point 1:
Yes, PDFs can contain viruses malicious content. As explained iin depth by others above.
Point 2:
But beyond that, there is no way for the OP (or anyone really) to know that the link in that text message is in fact a pdf. It could be anything. The OP assumed it really went to a pdf and the thread launched off from there.
Everything that looks like a link or looks like an attachment is simply a black box potentially containing absolutely anything. What you can see from the outside is just gift wrapping. It’s real easy to build the software equivalent of a nuke and gift-wrap it to look like a box of chocolates.
I know everyone here knows this, at least in an academic sense. But it’s real easy, as this thread demonstrates, for several people to innocently forget that the gift wrapping tells us nothing about the content. And so they assume innocent gift-wrapping implies innocent content. And don’t notice they made that assumption; it was an unconscious decision.
Sure our browsers, email clients, anti-malware scanners, etc., are all trying to peer past the giftwrap to see and evaluate what’s inside. With varying degrees of effectiveness. But your [click] or [tap] gives consent to a lot of stuff happening. Not all of which anyone or anything can predict.
caveat clickor. 
Caveat clickor, indeed. I shared this to help remind us that some seemingly innocent file types can include malware. And to remind myself of that. I need reminding, sometimes.
I said this upthread but don’t many of us share pictures in texts among family/friends? How long before a picture file still looks like a picture but also contains malware?
Also, EXE and COM and BAT files are usually (IME) called ‘eee-ex-eee’ or ‘com’ or ‘bat’ files. Not ‘dot com’, etc. Again, IME.
We’ve come pretty close to that already… but you’re generally not going to be affected by that unless you’re a high-value espionage target for state actors. There are companies like NSO Group that specialize in finding, weaponizing, and selling these “zero-click” exploits that can take over phones without the user having to do anything at all.
Close examples are Jeff Bezos getting hacked through a WhatsApp video, the UAE using bought spyware to hack into activist phones, and many others.
I don’t know if any of these (aside from the WhatsApp video) actually resulted in renderable images, but that doesn’t really matter if the recipient doesn’t even really need to open your text message, much less click on anything.
That said, nobody is going to spend millions of dollars to buy or develop one of these exploits unless you’re a person of interest or threat to some authority. Microsoft, Google, Apple, etc. do spend time and money trying to find them, or at least to pay off would-be hackers through bug bounty programs. But generally if you find a really effective one, you (and your kids and grandkids) can be set for multiple lifetimes if you find a state to sell it to instead. It’s an ongoing arms race.
And at about the same time, operating systems started hiding extensions on most files by default, so that it became much harder for users to recognize and avoid threats. Oops.
I make sure to not hide extensions, which is how I noticed the readme.pdf involved in this scam was actually an executable and immediately deleted it.
IIRC …
In the early days of the internet before the idea of malicious actors had really taken hold, one of the Microsoft apps for displaying JPGs (?) included an extension to the file format where you could invisibly embed macro-code in the image and the JPG viewer would read and execute it when you opened the picture file. Just like all the other Office file types could embed macros, and even autorun macros, so could pictures.
Sadly MS had just fully embraced and rolled out the “Every app is a programmable execution engine for some sort of embedded code” paradigm just as the internet & email & the web became a mass market phenomenon. Which of course was instantly filled with criminals and vandals to prey on the millions (billions?) of innocent noobs with their newfangled Win 95 PCs. Oops on timing there, Bill. 
For a big corporation they then did a pretty good job of pivoting towards the internet, the web, and client-server and away from the stand-alone desktop PC.
But it took them a long time to eradicate all the ways their apps were designed under the assumption that all data is always trustworthy and everything can contain something executable somehow as a deliberate feature, not as a security hole / code mistake.
Even turning off hidding file extensions in Windows Explorer doesn’t work on all extensions. E.g., .url and .lnk. The latter is esp. problematic as you click on something like fun.txt.url thinking it’s safe since you see only fun.txt and instead a page to a malicious website is opened. It takes regediting to fix that.
I saw a video recently (can’t remember which channel) where Bad People were sending zip (or rar?) files to open source software maintainers. The files looked innocently named but the standard archiving software was being fooled regarding extensions and this lead to infection of some projects.
Re: .com vs .exe in the oldest MS-DOS type systems. The first was for “simple” programs that fit in a small space and didn’t need a “fancy” (for the time) memory addressing method. The program could be dumped into memory with a fixed offset and run. The latter could span memory blocks (“segments”) with sep. code and data and the OS needed to provide linking info for the code to run.