Look at the root domain. Is it a reputable university (e.g., mirror.stanford.edu ) or a known software repository? Or is it a string of random numbers and letters? Trust the former; be wary of the latter.
Stay aware, stay secure, and think twice before clicking that DMG link in an unfamiliar index. index of dmg