What is pclzip.lib.php file that wordfence think it's a malicious code

Sounds like it is definitely malicious code masquerading as a legitimate file. In WordPress core the legitimate file lives as /wp-admin/includes/class-pclzip.php so there is no need for this to be there as a separate file, legitimate uses would just include this core file class and use that, not write it to a directory in wp-content without asking.

The only other option is it's being written there by a plugin or theme that uses it for uploads - but that is highly unlikely and a major security risk even in that case so any plugin/theme doing that should be ditched. Upload scripts like are the worst security hole as easiest to exploit. But the content of the file should give you more clues - it will probably look like junk code.

If it keeps coming back you may want to change the permissions on the /wp-content/uploader/ directory so it is not writeable. But that may or may not be enough, depending on the complexity of the script writing it. There is usually another file that is infected that is rewriting this file when it is not found.

Bottom line best to start researching how to clean up a hacked site ASAP. Start with a scan tool like maldetect and go from there. It may be safer and faster to go with a clean re-install of WordPress and all plugins and theme, and add more security plugins because the original vulnerability is still unknown.

According to this post, it looks that this file is a backup file. Are you using any plugin for backups, for example Backup Creator or WordPress Back up by BTE?

It isn't normal for extra files/folders to appear in WP core folder. The only location that is considered writable is under wp-content and easily writable is uploads, or whatever they are customized to.

If it appears malicious, behaves malicious, and security tool thinks its malicious — it's a safe guess that it is. It also might not be malicious itself, but used as part of malicious payload for utility purposes (open source! :).