The _wp_http_referer field is generated by the wp_referer_field() function. I’m not familiar with the hidden send field – however, I’d wager it’s a nonce field.
In all likelihood this pair of hidden inputs was generated by a call to the wp_nonce_field() function with 'send' as the $name argument and the $referer argument set to true. These fields are a component of good plugin security practices, and aide in verifying the authenticity of user interactions.
In your case, the call is likely executed directly in a template file, or a theme or a plugin logic file in a function attached to the the_content filter – though it could also be called in a shortcode, or numerous other action/filter hooks.
While malicious code might still leverage good security practices, the presence of such practices by itself is in no way indicative of exploitation.