Nepenthes is a low interaction honeypot. As such it can only simulate known vulnerable services. As it can only simulate a known vuln it will not catch an 0day exploit. What it will capture is the initial network traffic of the exploit before it 'changes direction' and diverges from the vulnerability being emulated. This traffic is captured via the portwatch module. Ideally, you would want a high interaction (actual system) honeypot to see exactly what this malware would attempt to exploit. Look at the genIII honeypot/net from the honeynet project if you want a high interaction honeypot.
Look into the submission module that allows you to submit samples to Norman and CWsandbox automatically. This will speed up initial analysis.
A lot of malware (the latest stormworm iteration for example) will use two or more stages to download the malware onto the system. The initial exe can end up being the only way to get the final payload.