If there are any security holes in Virtual Machine then actually malware could jump from one to another. There were PoCs in the past.
Also, most malware will detect that it's running within visualised environment and will shut down/destroy itself to make forensics more difficult.
On top of that you have network traffic - and that could be another attack point. Some malware can infect Hardware and stay within hardware - so if you pass over USB stick or anything else that could get infected.
Guest Addons would be your biggest concern - without them Windows is quite limited, with them installed you are exposing host...
No software is 100% secure, never was and never will be. Especially closed-source!
What you are trying to achieve here?