A malware can do a host variety of things on a hot computer, from installing keyloggers and replacing your destinations with theirs, to seemingly sign your own transaction but when choosing to broadcast, signing and broadcasting theirs. They can even alter the cryptographic libraries so that it seems you are signing and broadcasting your own, and indeed it is true from a blockchain perspective, but they will know how to work out your private key afterwards.

The last thing a malware will do is choose to give the coins to a miner by using SIGHASH_NONE.