Hi sebastian348,
I agree with DavidR, but there are some points to consider here. Just one engine to flag at VT could be a sign that the detection could be a false positive. The more engines to flag the more likely it is a genuine detection.
On the other hand, let us see where this download is being hosted and the vulnerabilities found there.
Retirable code on the download page:
bootstrap 3.3.4 Found in -https://www.autohotkey.com/assets/bootstrap/js/bootstrap.min.js<br>Vulnerability info:
High 28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331
Medium 20184 XSS in data-target property of scrollspy CVE-2018-14041
Medium 20184 XSS in collapse data-parent attribute CVE-2018-14040
Medium 20184 XSS in data-container property of tooltip CVE-2018-14042
jquery 1.11.2 Found in -https://www.autohotkey.com/assets/jquery/jquery.min.js<br>Vulnerability info:
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution 123
Medium Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Avast qualifies this site as "may be untrustworthy", see the autokey dot com scamsite that is for sale.
2 tracking scripts are being blocked.
CloudFlare -> -https://www.autohotkey.com/cdn-cgi/apps/head/21XiSFXBdVHXl7A_izEkLSn9ayc.js
Flagged because of
https://fonts.googleapis.com/css?family=Roboto:700,400&subset=cyrillic,latin,greek,
vietnamesepolonus (volunteer 3rd party cold recon website-security analyst and website error-hunter)