https://bugs.winehq.org/show_bug.cgi?id=45852
--- Comment #3 from Fred fred@clift.org --- AV is up to date.
Here is the virustotal scan:
https://www.virustotal.com/#/file/25566c21ab8b095c3e67723ac7e88334c9f45d391d...
It very well could be a false-positive on their part. Are wine builds reproducible? Could someone make sure that the source on whatever machine builds the release isn't compromised and that building from that source produces the same output?
Looking at the big picture, it doesn't seem that this would be the favored point of attack if the build system were compromised by an attacker who wanted to include malware in an opensource project. I'm leaning toward 'its a safe false positive' myself, but it's probably worth a double check of the build boxes.