Analysis

No real issues from the OWASP Top 10 were discovered so it was strange that the web site was indeed infected or hacked to distribute malware.

On one page a strange looking JavaScript was detected in particular because there was an encoded string, but it didn't resemble any other known ways of JavaScript obfuscation like Base64 encoding, encryption or other obfuscation techniques.

The only way to detect malicious behavior was executing the script in a browser and intercepting the request in Burp:

 

Calid.org is a known malware distributor site according to Google Safe Browsing Diagnostics page (http://www.google.com/safebrowsing/diagnostic?site=http://calid.org):