Is the malware in each post in the database? If so, something is inserting it, so you need to fix that first. Lots of googles/bings/ducks on how to remove malware from a WP site. (I have my own procedure here that I use for clients: https://www.securitydawg.com/recovering-from-a-hacked-wordpress-site/ ; there are others.)
I’d do a thorough cleanup of the site; changing credentials (everywhere, not just WP), strong passwords throughout; look for unauthorized files; check wp-config.php and other files for inserted code; a fresh install of plugins/themes from known good sources (via FTP); update everything; update your PHP version; and more.
And then look at the wp-posts table for inserted content. The script code might be different for each post, so you may need to manually fix things.
And, of course, a backup of your database before any major changes.