It seems that the added code in the functions.php was what added the malicious code to the pages as they were created. I can’t see the code within the page now.

You also need to ensure that your wordpress version is updated: