You’re probably going to need to check every line of code- I got hit by the Tim Thumb vulnerability a couple years ago, and I think some code was injecting rolling malicious links into my theme. I had to go through everything line by line.