Recently we were informed about a potential issue with a .pdf that we were hosting. A partners IT dept flagged (using hybrid-analysis.com) an IP that may be malicious.
We ran our own hybrid-analysis test and used wireshark to observe the traffic and noticed similar ip ranges being used.
Can adobe confirm if ip's of or around 22.214.171.124 and 126.96.36.199 (whois'd to amazon web service) are adobe or is this a real threat?
Amazon offer web services to millions of companies, they are one of the largest providers of services. These will include some of the largest companies in the world and some shady customers too... Amazon do not reveal which of their customers is assigned (at any particular moment) an IP.
If all PDFs connect here, maybe it is indeed Adobe. If this is a single PDF, not under your control, maybe it uses a private connection scheme with someone, for example for digital rights management or for some multimedia.
It is public knowledge that AWS (Amazon Web Services) are used to host some of Adobe's services. Acrobat could be attempting logon with an Adobe ID to the Document Cloud or Creative Cloud, including searching for whether there are available updates for the software.