Here are the steps I would take to find and eliminate this:

1. Look in the header.php file of your theme. This would be /wp-content/themes/child/header.php. In particular, look just below the body class and comment out any functions or PHP code you might find directly below this to see if there is a malicious function being called. The body tag probably looks like this:

   <body <?php body_class($class); ?>>

2. Deactivate all plugins on the site and check to see if the problem still persists. If it doesn't, then enable the plugins one by one until you find the culprit.

3. It looks like maybe they could be hooking into the body_class filter. Run a text search across all of your template files for a body_class filter, which will look like this:

   add_filter( 'body_class', 'filter_function_name' )

You'll want to search for add_filter( 'body_class and add_filter('body_class to catch possible differences in the whitespace.

Hopefully you'll find something.

Look everywhere. If one file has been compromised, then there's no reason to suppose that your other files are all safe.

Your best bet is to delete WordPress entirely, check your database thoroughly for content added by the hackers, change all your passwords (including site admin, MySQL and FTP) and then reinstall WordPress over the same database. But this time, be very careful when choosing themes and plugins. It's really not uncommon for nice-looking WordPress themes to have gaping security flaws.

For what it's worth, here's a PHP script that I wrote to disinfect a site with a similar problem. It may not work on your site, but it should give you some idea of what to look out for.