So ... if you have main domain from #TA505 TTPs and want to download the dropper file from actual subdomain , following is the method
So, found 2 TTPs today from twitter
But, subdomains are not there. Without disturbing the poster, goto https://[DOMAIN]
It will show you a certificate error page. Click on Advanced .
Following section will open , click on View Certificate.
Now you can see subdomain names which are distributing the actual dropper files.
Now use that subdomain and add /download.php at end to download actual dropper excel file.
