1. I assume, if somebody is maliciously accessing my wallet.dat file while the wallet is locked, he can import the wallet.dat to another bitcoin core but he can not spend anything without the walletpassphrase, right?
Yes. The encrypted keys are stored in memory and unlocked and stored in memory for a specific period of time. The keys in the wallet.dat are never decrypted.
2. What happens if the wallet.dat file is maliciously accessed while the wallet is unlocked? For example, wallet is unlocked for 10 minutes between 5 and 5:10 PM. Somebody is downloading the wallet at 5:01 PM and imports it into another bitcoin core until 5:05 PM. Can he spend all the coins until 5:10 PM without having to unlock the wallet with the walletpassphrase? What about a later time?
No. The unlock timeframe really doesn't matter with the time. If Bitcoin Core were to decrypt wallet.dat instead, they would just decrypt it for X amount of time and lock it again afterwards. It shouldn't be associated with time.
They can't do anything with the wallet.dat when its encrypted, even if you unlock it. They will still need a malware or keylogger; which they should have if they can download the wallet.dat. The time function is basically the amount of time that the decrypted keys will be stored in memory. After that, that part of the memory is wiped clean.