What it does is shown in the last image and what I said in the post (which seems to differs from your example), creates a hidden iframe and connects to an IP in the Ukraine. After that I don't care what it does, just that avast has in my mind done its job and blocked the insertion of an obfuscated script (JS:ScriptXE-inf [Trj])
Even if your explanation is right it is still a good detection by avast, I just don't go to any depth when I find what I consider is enough evidence to confirm a good detection.