Social.png in "Donations" themeforest theme

I have purchased several Themeforest themes and never though to check them for social.png and have had problems in the past with that malware.

I just purchased “Donations” responsive theme from Themeforest yesterday and found the social.png in the files I purchased.

This is crazy because the idea of paying for themes is in part to avoid the results of pirated themes which can have Malware.

Anyone else find Malware in the theme they have purchased? It doesn’t seem right.

An year ago I had a conflict with an author on this subject.
My advice is to communicate this with the proof of the Envato. This malware is very well hidden in PNG and it is very difficult to detect by Envato team. They probably thinking that’s an image.
In my opinion I think : The author stole a template from torrents and change it . From my experience on some bizarre websites, I discovered malware hidden in png or svg files. For this reason it is best to buy a template.
I hope to resolve this issue.

Yes that is why I purchased a theme thinking was safe.
It is not excuse for them to not find this one because social.png is never a file needed in any theme and well known Malware file. Here is a screen shot of it in their download zipped file.

Yes this malware very well done and hard to detect. Envato had no way to detect it. These types of malware do not cause damage on your site but they change your meta tags and page title with advertisings and affects your website in search engine . My advice is to open that file with notepad, sublimetext or other IDE and send those at Envato. Also may be that malware is in the other files and that social.png be called somehow in code.
I’m sorry for what happened to you.

Yes, bring this to both Envato and the authors attention. I’d suggest doing so immediately.

Envato does do a thorough review of items submitted but sometimes things make it through.

Something like this I could see easily making it through.

Often, this is not something ‘intended’ by the author or Envato, I feel confident in saying that.

This is likely the result of the author having their own installation compromised without knowing.

My suggestion is contact both author and Envato and let them know of what you discovered.

It is a good find and I too will make note of this in the future. Thanks for sharing this concern.

1 Like

Good catch! Just report to Envato and let the theme get banned from the marketplace. :angry:

1 Like

I am concerned with your lack of understanding of how serious social.png is. You have no idea how bad it is until your IP has been blacklisted for sending out thousands of emails or spam posts at which point your web hosting provider shuts down your or your clients website causing them to be out of business.
Not a easy thing to find??? this one also worries me because social.png is the number one file you should search your cPanel or what ever you are using for constantly these days. It is the new STI of the web world.
Seriously read this article soon please:

1 Like

I think it’s fair to put here author and theme name because others have this problem to alert.
It’s too bad that made this author. I checked on google and these types of malware hidden in image files can send information from your database and not be detected if you use a shared hosting package.

@BillFligg you’re right. This is very serious. I said before after I Googled.

Is it really a social.png exploit? Or just a real image called social.png?

exactly what I was thinking as no author who was any good would put it in their theme on purpose and it came directly from the Envato servers.

It could be a legitimate png file, try and open it with a graphic program.

It would be insane to put a file in a theme that is internationally known as the worst malware file name on the market. Why would anyone use the name social.png for a legitimate file knowing that all malware software and anyone doing their due diligence, would immediately delete it?
All PNG files have code embedded in them so for me it is hard to tell. I simply do not wish to take the chance when the odds are 90+% that this is malware.
You have a look at this code and see if you can read where and if there is an injected malicious action here. LOL

IHDR H —Ý÷à tEXtSoftware Adobe ImageReadyqÉe< diTXtXML:com.adobe.xmp <?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x=“adobe:ns:meta/” x:xmptk=“Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 “> <rdf:RDF xmlns:rdf=“”> <rdf:Description rdf:about=”” xmlns:xmpMM=“” xmlns:stRef=“” xmlns:xmp=“” xmpMM:OriginalDocumentID=“xmp.did:63F077BD3C80E211832CC26777D55787” xmpMM:DocumentID=“xmp.did:A17AB7AC804411E2B45CD0F93775CB67” xmpMM:InstanceID=“xmp.iid:A17AB7AB804411E2B45CD0F93775CB67” xmp:CreatorTool=“Adobe Photoshop CS5 Windows”> <xmpMM:DerivedFrom stRef:instanceID=“xmp.iid:65F077BD3C80E211832CC26777D55787” stRef:documentID=“xmp.did:63F077BD3C80E211832CC26777D55787”/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>¡ah vIDATxÚìY{ŒœU?ß{Þ³3ûînÛ}tK[×–Úò(-
£&‚bQ1˜R#PM0€1`$jú—¯hASZ´¦ÐX01Xj©-Ò5–v»ìvéƒ>ö9ûœ™Ý™Ùù^þÎÝýê€3+X_ð%w¿ù¾ïÞ{~çœß9çÞ»’ëºô¿¼Ôb/·oß.î’$Ñàà ɲ|ÇÀÀÀdsssw Éçó©ãǏ‹ï†aÐôô4±"è’Æý3¥xœã8¢ŸúÏÖ××–Að}ÕÕÕG l7ž;<A—kAµÂÙ«>“N§ÇïMccc×

íxߍ~]¸^ˆ¢ Eñ4e²,kÞÈÈÈᆆ†ÖÊÊÊUUՍ­­­lnIôôôt¡ßô߁»ý^HÅÐoÚ´é’?ËËË÷­[·nƒÊårWÏçß5Mw ¤#GŽtÁ:[•Cï…ò\#‘ÈO7nܸÁï÷S"‘ ˜p,ptt”úûû B)Óm·Ý¶lùò够¿lÌ^·¶´´l™˜˜ ©©©Kš²ÖªªŠèƒâw&“ Ö¬YÃÏO;v¬Z¾~9$\ Óo=þ<uww|O.BÑç¹çžVw°9ATq_¶l™ÿÂ…ß™œœü4ƒfs³Þ5â]†ùÅÏr Ó d[úÈ#ÐÝwß-´dó#Pgg’íÙ³‡/^|‰žU¸HË VCP}±0…2{C¡ÐÕøÙ‚¶¶¨-Z´Ë¬ÕÞ½{iéÒ¥”J¥¨··—lÛæ ˜™Šg/lYsD@PˆÛ{îÜ9a%a°7®\¹Ríµ×‚WOÃ…'Š€öÞÖÖFóçϧŽŽ1I6›¥S§N “®X±âR¸2 nžÆ°†÷Ló^´
„ò£°Ç¿\WW×ît “æØŸ€µdá¬)GkÏGÄoPhva¬Á·ïâч±ÍÐü:¸¦.™L²‚ ØFQ þ+ºdÕªUÔ××'´j¡ùúõëÓ4…/Z ¿õ¦¦¦Û1Çí<ŽÉ¿ˆÉDu h+jÈ€·Š€Ðm˜ U×õk˜ýóæÍsر†±<–{ðžÙ2rÁ‚4+Àcø}MMŒç&XñYî/—Ãî+@šâ "2 ÿfÍ=¿{B¹qxŽekF L¼?yò¤˜ƒ9p×<x8PºaÒc°ÄF°ù7Ð:V¨á;
–¸X¨Ç/7p¦d±+9I±%9Œ¡Pƒ7Nž«â¾L½ l¾èånÏüž@OãÂï<žIËY“-ÇÑÄÉ 4]Ô”R)Ò3-&9AyïX@¡°ÂVì=aߟ9s†PÎEÚ檉÷¶p]1áL/}óD’¸!A‰„RXÍ
J·xÏ™° í^²s„r$€cøfó·¢ Ød…“àú&oC8­á¨à¬ÈÑÀ¸y¡è¹„ÍÌÀ8jø™ÝÁýy^&4¾½zå•WÎͯyÄò{¹8q:®¨¨òz°‰ûÙ[Ðpåd²%Y ,^„õ8ázvÎjøÎ2û܉ûføra›qÉ’%¬ÂO/9!Ó‰cr
.é|!apR:ˆ|ÙS¬( N Å@¡í„ÐeàŃlNäs±heÌh6/_\8ñ3[†]Àwä ¾V˜¼Þ•
ßaàC˜x “~yBf·ö÷°¬¬Lä ÇÚr
°Ð¾íG×TÏ´kÙúgÏžý–lÛØm^D”tgÊbVò1É0A„o€¦Wá¾ßdh¸Ú1±Å}¸/ï­·Þºäk}饗„ð;wŠ{I<üðÃ%×pL.Èìg³ÞsÏ=G!p?7íÚµë(3Ÿ¿3Ûeee ZSmm­‰þ­ž%ùûœ˜ëâÁ¬™ÛÐä¼{_Ľ>Â;?¾…ñ®¿×‚BX÷3Ï<Å*:é­!D+F¸bð®X,Æ häƒ!¬rnÁs5’Ó+ å0cä|DQë!¬óà‹È!Ç0Že:xç–ܘÌ@ ¦×ó:¬ ÃôS¸[ ãa 4s"ìxá‘ãÆ€ð]…u|˜;^ðÊ.iÿæ%ÓÿøzÀû Š&¢{w·Ï C4v&R$ºãõ sríüw,¨Œ¤MJímeÅ–CFþ×)‡õ q4¹ÊÌ ×yGðªìÎèm!%gîLÈs^Uƒe”%•ÅCò}qÿ‘I×Ý=iš³=þ3gDòßWcúÏfìDZÝÔ›ž¾¶g<WuòB®·›êr\œÑÞý÷PÖŽ†¦-gÞéqûðaëã­-z°¾*zãG®p(“wÌîlâЩdÙîôßSÿ{Έ¤¯ÆƒzMUÚ¾»¯®Úà>Jg-ŠùU
©?.ŒdéÉ¿&ºÎôMm!M9„ïšÅ|ã0¯,©"èûé¶O5oéKçéþ4 ¬ÆïPÎÄM'ӕȧ)T[fP€=u4A/tŒÞ‰Ywúñ½“ÐíÖõÍá-Cé,M¤-Ž¡ê ƒÂx89˜"=XFšêÐxÆ¢Ê F_XUIš,?ñ»ãCbkî5齞©´²!¦oíè› CgG©!꧕uª Èô­O,}¾ÿbuX@Õà)—F¦°irhÃQgê;ÃçÓš+^r*_ ˜Ûˆ¿ü.}FT|©±"°ô•{VÐ/?¹ˆ,5D½é-¨]Bî:OOüþ´jQ-éÖwb¨2šD©<ïlº©%¾ÚqÜzדê^Nb¡½å~íj nÁsñ3¢µ ¡u+êËä¡”MOî;@¬ê£S“et2ýQj vÐ5óÛèùsV¼Ë1IaaY“J”6]ŠúµHsبЩ·} …’FSðBP½ñÖÖ˜þB÷Ĉ_{:T‹ŸÕÅb‘I…ºÎÿœ~rý! Œ=OQlzrU´ÄLЛCe”TïáyóÊ¡$ ŽH…WÇص%Î%§ö‰>^?2:·bu]èÑi‹Œú˜ñåVûÛ&²VG‰<ä8ýÙÇižr
ñ†ÍÆÑÓ Jƒ¼ |ó-¥€4ÁŠ <¯°\Ž
¸";eF2®ó]˜ýuÌã3m§ùã×U]÷‘EeuI“ZÊ}ç“ÓM¶ãÅÏŠŸ;ûDHS7OMc#iÿ…>¦ßG냔0ˆþHÑÙü)¨¤ÁxÂ¥Y²ÏÔ UU(9iÒ‘ÓðkTWé§Êr¬’á†ñ±<sÄÉØŸ¨HxÅψzÎ’·}¨%Þö¹×L˜¦çÝv:ªõ¢è,€æa
©)Ra^Yl^…áES ôÉ‚ˆea™V6û¨ß’éð[“D ¨•ÍÑŠFI>ø†ÙtÃaâÏrÆ•‹NPG×ÅÔW$%ŸªP‡)¦›È‚¤8…¤)®%²<…]†?:HÀ®°ldthQƒKµós´ºn’ô¼EGÞHP]yŽ–·$©2à\ÿäî3´c÷éÛsâɤcÝÓeÓ®4î:&ù¤„!ÖùeD(ôv×Y³Õ“ù»1d:3‘£qw‚îZŸ¡]w5Ð7o®¦”3Ž

5´ŠTê|¶ÉÒ¾ ÓºiÐt.ræt¼p擐Y\}ø›k;—¾KœiAbð‘2&½™é£lä$½8x‚ú¦²ë3]ÓºV û–}ª(ò‰ÞÌcdH +„ØB’Á‚›YX®$~ϼµT dY <>2LýÙÊd|¨!š­ê„Vbk6Â#¸qeÉð„'ÎfhÍÂ2QK¦ó‰˜—꘮9k¾‹ÙîL&Ô¡ƒÂ5~*wªc +ÐbøíaýAsãm•!}ÍòyQÌÊå t…睖#ÑÈ8*g™EÁ°D&ïÀà#ÅÈÐh”œT‰Ê}õ–ëkg,='af]Ág ã£Ó÷vô%©e©µ>"RDcÛ$Ä5M³oø€ÂÕ¨ïtš.v¤(3 ˆ’Do9u•SM,s¸ÏUKž¼½4ó3éD„m>zvlÇ(ÖaëW ëéä3lpBÂÁ!aJ. SuŒü¡ %F&i´cK€ jT]YCñ˜ïàþöÑ—½JY4^õ³ö¢ \˜ÜpéaØp>hÍ’Ú-­‹b…¤ˆº3ù_49ÉÈ‚e\âmh2çÇàijŒÛî…¤yåŸN§;½ZÜÎ?®O¼¿pÇCºª¨¶û½ž”Üy1)ªàÌ:gö_q˜¸6ê£ò°ü†Na?Ÿ’ÕÒ™TÅýšt®ë8ñÒ D YÒ¹Ï?44õ…Hý1½YÎOÌÄ¿^‚Ic†¡ìÇjo ‘qe¦3Úµwj×ÜPqàW[Çz¶ÉR€\ÍIH*¹,7%Vj3ÿhdb’¬vIffƒ\xÕí5¿Þ.K¶ü‹áolöÛÚuɱdE%®4,|VÇŸº¿åÍ©ÖGÎK\é·[ƒHݼü/†G7/.¹†‹úu¬G‘EàßÑ<ØéD÷«þ±¦_<ø££aNË0;Ѳ:“>º8OŸû„J•JÌÌ×È­¶²Î–òÃî.˜k3‰Á2 pê•uØCsÕèå‡âÝmÅ»!ñ˺–P%M]e-W!ºïýv8Úñ¦”ÔsÆË]Æ‘íúÅ­»Z½%¨SõÀóÊ_{hر%‘ô–γ¢KªÍz74¸šbL¤ÜÛ^§c9[ƒò¦#Íðö_9#ŠKáPPœå-WNMÑ”… j’?êwȶaQÎ$'c«9ÓrspµƒÂ¤F®OUÝ|6ûþÑû þ üM€ M§»¦~ü IEND®B`‚

I wasn’t aware of a malware with social.png name and I can’t be the only one, social.png can easily be the name of the social icons for the theme… but most themes will / should be using icon fonts anyway.

That doesn’t look dodgy to me but run it through a php obfuscator such as

It doesn’t have the obvious php code such as variables ($something = ) and php start / end tags.

I think it’s just a poorly named file rather than malware… let Envato know about the social.png malware and they can check themes for the issue, but it’s unlikely any theme from Themeforest will have it imho.

The social.png exploit is about 45kb in size. The file in your screenshot is 5kb in size.

This is just a picture! A legitimate picture. There is no hidden code here.

Please update your support ticket (and anywhere else you have posted this) to say there is nothing to worry about.

I have files called social in my items too. There are hundreds of exploits and they are named all sorts of things. Even functions.php can contain exploits, and that file is required for WordPress to work. Thinking something is an exploit based on file name alone is not the right way to do things.

Double click on that picture and open in it, what do you see? (And no, a php script named .png will not run a virus on your computer when opened. It actually won’t run at all even if you uploaded it to a website, this script needs to be triggered a special way)


Firstly - Google social.png -what do you find? thousands of articles about the malware famously known as social.png. Nothing else, no reference to real file with that name…it is in fact the most highly exploited malware file name this year. Why use it at all???

Secondly, I will repeat…this is just really bad planning to use an exploited file name… I delete it on site - no questions asked!. The functions.php yes I understand the need to review that file because it is in fact properly named, is required by all WordPress websites and is a php file. In addition the symptom is it breaks your theme when this happens with an easy fix usually to remove the line of code. That one you see the results immediately and no one can live without it in the WP world without a lot of effort to change a lot of references to it.

Anyways, not happy to receive a file called social.png from anyone. Sorry but that’s from experience!

but if you read my post, even I didn’t know the exploit disguised as a png file, the author is probably the same, 99% it was done by accident and they weren’t aware, if you let them know they can rename it in future so not to raise suspicions.

The question is simply when you open social.png image appears or is blank? Because if it’s blank is not ok .

First time I had heard of that exploit too. Although that “type” of exploit is really popular, it can be called anything, even “untitled.bmp” if you wanted to.